On 7/12/07, Alexey Sopov <[EMAIL PROTECTED]> wrote:
HiOn my machine with FreeBSD 6.2-STABLE #4 I noticed there are outgoing packets from net 192.168.0.0/16 on external interface Some details: Here 1 < a,b,c,d,e,f < 254 ~> ifconfig internal internal: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 options=4b<RXCSUM,TXCSUM,VLAN_MTU,POLLING> inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255 ether 00:04:23:b0:53:ca media: Ethernet autoselect (1000baseTX <full-duplex>) status: active ~> ifconfig external external: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 options=48<VLAN_MTU,POLLING> inet a.b.c.22 netmask 0xfffffffc broadcast a.b.c.23 ether 00:02:b3:4c:83:6e media: Ethernet autoselect (100baseTX <full-duplex>) status: active ~> grep -v '^#' /etc/pf.conf | grep mynet table <mynet> { 192.168.0.0/16, 172.16.0.0/16 } ~> sudo pfctl -s a | less No ALTQ support in kernel ALTQ related functions disabled TRANSLATION RULES: nat on external inet from <mynet> to ! <mynet> -> a.b.d.240/28 bitmask rdr on external inet proto tcp from any to a.b.e.1 port = ftp -> 192.168.0.2 port 21 rdr on external inet proto udp from any to a.b.e.1 port = 4127 -> 192.168.0.2 port 4127 rdr on external inet proto tcp from any to a.b.e.1 port = 4899 -> 192.168.0.2 port 4899 rdr on external inet proto tcp from any to a.b.c.22 port = 4022 -> 172.16.56.57 port 22 FILTER RULES: pass in all pass out all pass out quick on external inet from a.b.c.20/30 to any pass out quick on external inet from a.b.d.224/27 to any pass out quick on external inet from a.b.e.0/24 to any block drop out on external all STATES: #a lot of states INFO: Status: Enabled for 0 days 11:06:40 Debug: Urgent Hostid: 0x2055eb8b State Table Total Rate current entries 4182 searches 250779576 6269.5/s inserts 1877065 46.9/s removals 1872883 46.8/s Counters match 165990128 4149.8/s bad-offset 0 0.0/s fragment 15 0.0/s short 2 0.0/s normalize 0 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 4550 0.1/s proto-cksum 0 0.0/s state-mismatch 6233 0.2/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 0 0.0/s synproxy 0 0.0/s TIMEOUTS: tcp.first 30s tcp.opening 5s tcp.established 18000s tcp.closing 60s tcp.finwait 30s tcp.closed 30s tcp.tsdiff 10s udp.first 60s udp.single 30s udp.multiple 60s icmp.first 20s icmp.error 10s other.first 60s other.single 30s other.multiple 60s frag 5s interval 2s adaptive.start 0 states adaptive.end 0 states src.track 0s LIMITS: states hard limit 50000 src-nodes hard limit 30000 frags hard limit 50000 TABLES: mynet OS FINGERPRINTS: 348 fingerprints loaded Here I try to catch packets on external interface: ~> sudo tcpdump -ni external src net 192.168.0.0/16 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on external, link-type EN10MB (Ethernet), capture size 96 bytes 12:59:44.401906 IP 192.168.56.152.1090 > 64.12.31.180.5190: . ack 1528988903 win 0 12:59:44.401921 IP 192.168.12.43.60481 > 81.19.88.11.80: . ack 2815867423 win 0 12:59:44.401933 IP 192.168.46.101.1650 > 81.176.76.116.80: . ack 669974985 win 0 12:59:44.401946 IP 192.168.54.12.2124 > 194.145.212.35.80: . ack 2208596276 win 0 12:59:44.401958 IP 192.168.22.10.1510 > 194.67.45.129.80: . ack 1166126606 win 0 12:59:44.401971 IP 192.168.46.101.1652 > 81.19.80.2.80: . ack 1004425830 win 0 12:59:44.401983 IP 192.168.38.79.63441 > 66.102.11.164.80: . ack 1120457487 win 0 12:59:44.401995 IP 192.168.54.71.1578 > 87.248.217.79.80: . ack 2473371997 win 0 12:59:44.402022 IP 192.168.38.49.4183 > 65.54.195.188.80: . ack 964472648 win 0 12:59:44.402041 IP 192.168.42.90.60363 > 66.249.93.91.80: . ack 2862783680 win 0 12:59:44.402055 IP 192.168.46.46.58867 > 89.188.102.70.80: . ack 2523375288 win 0 12:59:44.402075 IP 192.168.38.16.1222 > 208.166.56.114.80: . ack 0 win 0 12:59:44.402087 IP 192.168.60.38.2050 > 66.235.180.76.8080: . ack 2443543023 win 0 12:59:49.400160 IP 192.168.42.124.1313 > 81.222.128.13.80: . ack 1468803329 win 0 12:59:49.400176 IP 192.168.42.124.1312 > 81.222.128.13.80: . ack 1482657113 win 0 12:59:49.400190 IP 192.168.42.124.1314 > 81.19.80.2.80: . ack 1518361964 win 0 12:59:49.400202 IP 192.168.42.124.1315 > 217.16.26.60.80: . ack 2295931572 win 0 12:59:49.400218 IP 192.168.22.10.1510 > 194.67.45.129.80: . ack 1 win 0 12:59:49.400229 IP 192.168.42.124.1311 > 81.222.128.13.80: . ack 1477893358 win 0 12:59:49.400242 IP 192.168.42.60.61035 > 203.75.40.14.21: . ack 2868867767 win 0 12:59:49.400255 IP 192.168.42.124.1309 > 194.67.23.108.80: . ack 2813951723 win 0 12:59:49.400269 IP 192.168.38.16.1311 > 88.85.78.58.80: . ack 3157990844 win 0 12:59:49.400281 IP 192.168.38.79.63441 > 66.102.11.164.80: . ack 1 win 0 12:59:49.400318 IP 192.168.11.118.2487 > 213.180.214.31.80: . ack 0 win 0 12:59:49.400331 IP 192.168.52.33.64997 > 193.192.41.2.80: . ack 69990011 win 0 12:59:49.400352 IP 192.168.24.16.1047 > 64.12.31.144.5190: . ack 2248286157 win 0 12:59:49.400371 IP 192.168.60.38.2057 > 66.235.180.76.8080: . ack 2458160570 win 0 12:59:49.400383 IP 192.168.38.16.1222 > 208.166.56.114.80: . ack 1 win 0 ^C 28 packets captured 45864 packets received by filter 0 packets dropped by kernel Why these packets weren't translated by pf nat rules or filtered by pf block rule? Note they appear once in five seconds. Tried to modify frag parameter, but this didn't help. Also I noticed they all have ACK bit set. Thank you.
What is the date of your build (uname -a). There was a commit recently to fix fragmented packets w/ hardware checksums http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/contrib/pf/net/pf_norm.c.diff?r1=1.11.2.4;r2=1.11.2.5;only_with_tag=RELENG_6 Maybe you just need to cvsup and build a new kernel / world? Scott _______________________________________________ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[EMAIL PROTECTED]"
