Network layout: (ISP)->[cable modem]->[OpenBSD]->(rest of my network)
Recently ISP changed cable modem, and since then I noticed strange
issues. Simplest repeatable test: rsync -avP
rsync://ftp2.eu.openbsd.org/OpenBSD/snapshots/i386 /tmp/
Now here comes the strange part: on the OpenBSD box acting as my
router this stalls after a while. Same on a FreeBSD box behind it. But
it works without any issue on a linux box behind the same OpenBSD
machine.
With pfctl -x info I see following when rsync from FreeBSD box stalls:
Aug 17 15:01:43 keibi /bsd: pf: BAD state: TCP out wire: (0)
137.208.8.135:873 172.30.205.2:63278 stack: (0) 137.208.8.135:873
192.168.13.13:46460 [lo=3971834393 high=3971865753 win=1026
modulator=0 wscale=6] [lo=2515060045 high=2515125709 win=980
modulator=0 wscale
=5] 4:4 @8 A seq=2515168085 (2515168085) ack=3971834393 len=1460
ackskew=0 pkts=21851:43626 dir=in,rev
Aug 17 15:01:43 keibi /bsd: pf: State failure on: 1 |
Aug 17 15:01:44 keibi /bsd: pf: BAD state: TCP out wire: (0)
137.208.8.135:873 172.30.205.2:63278 stack: (0) 137.208.8.135:873
192.168.13.13:46460 [lo=3971834393 high=3971865753 win=1026
modulator=0 wscale=6] [lo=2515061505 high=2515127169 win=980
modulator=0 wscale
=5] 4:4 @8 A seq=2515169545 (2515169545) ack=3971834393 len=1460
ackskew=0 pkts=21852:43627 dir=in,rev
Aug 17 15:01:44 keibi /bsd: pf: State failure on: 1 |
When OpenBSD box stalls I get:
Aug 17 15:09:52 keibi /bsd: pf: BAD state: TCP out wire: (0)
77.238.36.56:873 172.30.205.2:65533 stack: (0) 77.238.36.56:873
172.30.205.2:39510 [lo=2445871828 high=2445903316 win=2048 modulator=0
wscale=3] [lo=2724110043 high=2724126427 win=123 modulator=0 wscale=8]
4:4 @8 A seq=2724130483 (2724130483) ack=2445871828 len=1460
ackskew=0 pkts=1381:2048 dir=in,rev
Aug 17 15:09:52 keibi /bsd: pf: State failure on: 1 |
Aug 17 15:09:52 keibi /bsd: pf: BAD state: TCP out wire: (0)
77.238.36.56:873 172.30.205.2:65533 stack: (0) 77.238.36.56:873
172.30.205.2:39510 [lo=2445871828 high=2445903316 win=2048 modulator=0
wscale=3] [lo=2724110043 high=2724126427 win=123 modulator=0 wscale=8]
4:4 @8 A seq=2724131943 (2724131943) ack=2445871828 len=1460
ackskew=0 pkts=1381:2048 dir=in,rev
Aug 17 15:09:52 keibi /bsd: pf: State failure on: 1 |
More info on configuration:
$ grep -v ^# /etc/sysctl.conf
net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of IPv4 packets
machdep.apmhalt=1 # 1=powerdown hack, try if halt -p doesn't work
machdep.kbdreset=1 # permit console CTRL-ALT-DEL to do a nice halt
kern.version=OpenBSD 5.6 (GENERIC.MP) #278: Wed Jul 30 11:51:47 MDT 2014
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP
pf.conf:
ext_if="xl0"
int_if="rl0"
tamotsu="192.168.13.13"
phone="192.168.13.xx"
table <badhosts> persist
table <brutes> persist
set skip on lo
block drop in quick from <brutes>
block drop in quick from <badhosts>
anchor "ftp-proxy/*"
pass in quick inet proto tcp to port ftp divert-to 127.0.0.1 port 8021
match out log on $ext_if from !$phone nat-to ($ext_if)
match out log on $ext_if inet proto { tcp, udp} from $phone to any \
nat-to ($ext_if) static-port
block return # block stateless traffic
pass out log
pass in log on $int_if
table <spamd-white> persist
table <nospamd> persist file "/etc/mail/nospamd"
pass in on egress proto tcp from any to any port smtp \
rdr-to 127.0.0.1 port spamd
pass in log on egress proto tcp from <spamd-white> to any port smtp
pass out log on egress proto tcp to any port smtp
pass in log on $ext_if proto tcp from any to ($ext_if) port ssh keep state \
(max-src-conn-rate 4/30, overload <brutes> flush global)
pass in log on $ext_if proto tcp from any to ($ext_if) port { 5222,
5223, 5269 } keep state
pass in log on $ext_if proto { tcp, udp } from any to ($ext_if) port 5000:5100 \
rdr-to $phone port 5000:*
pass in log on $ext_if proto tcp from any to ($ext_if) port imaps keep state
pass in log on $ext_if proto tcp from any to ($ext_if) port 53589
block return in on ! lo0 proto tcp to port 6000:6010
Any ideas what's going on here, and what to do about it?
--
viq
