Hello, nobody has an answer for that? :/ Or was my explanation not english enough? =) Please let me know if something is ambiguous.
Regards Hagen Volpers -----Urspr|ngliche Nachricht----- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von openbsd misc Gesendet: Donnerstag, 10. August 2006 23:31 An: OpenBSD Misc Betreff: pf - strange behavior Hello, I have a problem I have no explanation for. Here's the situation: I have a Windows XP client pinging (ping -t) an internet host (nat through my obsd testsystem). That's my pf.conf: # cat /etc/pf.conf ext_if="pppoe0" int_if="sis1" set block-policy return set skip on lo scrub in nat on $ext_if from !($ext_if) -> ($ext_if:0) block in pass out keep state antispoof quick for { lo $int_if } pass in on $ext_if inet proto tcp from any to ($ext_if) port { 22 } flags S/SA keep state pass in inet proto icmp all icmp-type echoreq keep state pass in quick proto { tcp, udp } from { 192.168.122.0/24 } to 192.168.122.2 port { 53 } pass quick on $int_if After rebooting my obsd system (while ping is running), then ping cannot get through when the system comes up again. The obsd system sends out icmp packages without nat. The source ip address is 192.168.122.128, but it should be the public ip-address of the obsd system (first line): # pfctl -ss all icmp 192.168.122.128:512 -> 193.99.144.85 0:0 all udp 84.60.163.18:3790 -> 194.88.212.200:123 MULTIPLE:MULTIPLE all udp 84.60.163.18:33159 -> 131.174.122.206:123 MULTIPLE:MULTIPLE all udp 84.60.163.18:40242 -> 83.229.141.2:123 MULTIPLE:MULTIPLE all udp 84.60.163.18:31316 -> 83.67.64.230:123 MULTIPLE:MULTIPLE all udp 84.60.163.18:9757 -> 82.165.43.21:123 MULTIPLE:MULTIPLE all udp 84.60.163.18:17612 -> 72.1.138.113:123 MULTIPLE:MULTIPLE all udp 84.60.163.18:24708 -> 69.182.190.97:123 MULTIPLE:MULTIPLE all udp 84.60.163.18:42679 -> 69.59.178.92:123 MULTIPLE:MULTIPLE all icmp 192.168.122.16:512 -> 84.60.163.18:34545 -> 193.99.144.85 0:0 all tcp 84.60.163.18:22 <- 212.46.125.234:2840 ESTABLISHED:ESTABLISHED all tcp 192.168.122.16:52556 -> 84.60.163.18:55884 -> 212.227.15.161:110 FIN_WAIT_2:FIN_WAIT_2 all tcp 192.168.122.16:52557 -> 84.60.163.18:54733 -> 212.227.15.161:110 FIN_WAIT_2:FIN_WAIT_2 all tcp 192.168.122.16:52558 -> 84.60.163.18:53237 -> 151.189.21.113:110 FIN_WAIT_2:FIN_WAIT_2 all tcp 192.168.122.16:52559 -> 84.60.163.18:55113 -> 212.227.85.5:110 FIN_WAIT_2:FIN_WAIT_2 all tcp 192.168.122.16:52562 -> 84.60.163.18:58754 -> 212.227.85.5:110 FIN_WAIT_2:FIN_WAIT_2 all tcp 192.168.122.16:52563 -> 84.60.163.18:54019 -> 212.227.85.5:110 FIN_WAIT_2:FIN_WAIT_2 all tcp 192.168.122.16:52569 -> 84.60.163.18:62152 -> 212.227.85.5:110 FIN_WAIT_2:FIN_WAIT_2 all tcp 192.168.122.16:52570 -> 84.60.163.18:61073 -> 212.227.85.5:110 FIN_WAIT_2:FIN_WAIT_2 all tcp 192.168.122.16:52574 -> 84.60.163.18:51917 -> 212.227.15.161:110 FIN_WAIT_2:FIN_WAIT_2 all tcp 192.168.122.16:52575 -> 84.60.163.18:53399 -> 212.227.15.161:110 FIN_WAIT_2:FIN_WAIT_2 The really strange thing is the windows server 2003 (192.168.122.16). He's also running the ping all the time. His packages get caught by the nat rule correctly. If I stop the ping on the windows xp system, wait 10sec (icmp.error value) and ping again, everything is working fine: after 10sec: all icmp 192.168.122.128:512 -> 84.60.163.18:5939 -> 193.99.144.85 0:0 And here's my question: WHY? =) As you can see the windows server created several connections. I think that the icmp packages get caught by nat because he creates other connections, too. Btw, I'm using kernel based pppoe (using spppcontrol) to get a connection to my isp. Before you ask, here some more informations =): # pfctl -sa TRANSLATION RULES: nat on pppoe0 from ! (pppoe0) to any -> (pppoe0:0) FILTER RULES: scrub in all fragment reassemble block return in all pass out all keep state block drop in quick on ! lo inet from 127.0.0.0/8 to any block drop in quick on ! lo inet6 from ::1 to any block drop in quick inet from 127.0.0.1 to any block drop in quick inet6 from ::1 to any block drop in quick on lo0 inet6 from fe80::1 to any block drop in quick on ! sis1 inet from 192.168.122.0/24 to any block drop in quick inet from 192.168.122.2 to any block drop in quick on sis1 inet6 from fe80::20d:b9ff:fe04:5ea5 to any pass in on pppoe0 inet proto tcp from any to (pppoe0) port = ssh flags S/SA keep state pass in inet proto icmp all icmp-type echoreq keep state pass in quick inet proto tcp from 192.168.122.0/24 to 192.168.122.2 port = domain pass in quick inet proto udp from 192.168.122.0/24 to 192.168.122.2 port = domain pass quick on sis1 all No queue in use STATES: all udp 84.60.163.18:3790 -> 194.88.212.200:123 MULTIPLE:MULTIPLE all udp 84.60.163.18:33159 -> 131.174.122.206:123 MULTIPLE:MULTIPLE all udp 84.60.163.18:40242 -> 83.229.141.2:123 MULTIPLE:MULTIPLE all udp 84.60.163.18:31316 -> 83.67.64.230:123 MULTIPLE:MULTIPLE all udp 84.60.163.18:9757 -> 82.165.43.21:123 MULTIPLE:MULTIPLE all udp 84.60.163.18:17612 -> 72.1.138.113:123 MULTIPLE:MULTIPLE all udp 84.60.163.18:24708 -> 69.182.190.97:123 MULTIPLE:MULTIPLE all udp 84.60.163.18:42679 -> 69.59.178.92:123 MULTIPLE:MULTIPLE all icmp 192.168.122.16:512 -> 84.60.163.18:34545 -> 193.99.144.85 0:0 all tcp 84.60.163.18:22 <- 212.46.125.234:2840 ESTABLISHED:ESTABLISHED all tcp 192.168.122.16:52582 -> 84.60.163.18:65442 -> 212.227.85.5:110 FIN_WAIT_2:FIN_WAIT_2 all icmp 192.168.122.128:512 -> 84.60.163.18:5939 -> 193.99.144.85 0:0 all tcp 192.168.122.16:52585 -> 84.60.163.18:52933 -> 212.227.15.161:110 FIN_WAIT_2:FIN_WAIT_2 all tcp 192.168.122.16:52587 -> 84.60.163.18:57017 -> 212.227.15.161:110 FIN_WAIT_2:FIN_WAIT_2 all tcp 192.168.122.16:52588 -> 84.60.163.18:51838 -> 151.189.21.113:110 FIN_WAIT_2:FIN_WAIT_2 all tcp 192.168.122.16:52589 -> 84.60.163.18:54659 -> 212.227.85.5:110 FIN_WAIT_2:FIN_WAIT_2 all tcp 192.168.122.16:52591 -> 84.60.163.18:53183 -> 212.227.85.5:110 FIN_WAIT_2:FIN_WAIT_2 all tcp 192.168.122.16:52592 -> 84.60.163.18:51607 -> 212.227.85.5:110 FIN_WAIT_2:FIN_WAIT_2 all tcp 192.168.122.16:52593 -> 84.60.163.18:54610 -> 212.227.85.5:110 FIN_WAIT_2:FIN_WAIT_2 all tcp 192.168.122.16:52595 -> 84.60.163.18:51144 -> 213.35.101.4:21 TIME_WAIT:TIME_WAIT all tcp 192.168.122.16:52597 -> 84.60.163.18:63712 -> 212.227.85.5:110 FIN_WAIT_2:FIN_WAIT_2 all icmp 84.60.163.18:256 <- 84.184.202.84 0:0 all tcp 192.168.122.16:52601 -> 84.60.163.18:51174 -> 212.227.15.161:110 FIN_WAIT_2:FIN_WAIT_2 all tcp 192.168.122.16:52602 -> 84.60.163.18:63336 -> 213.35.101.4:21 ESTABLISHED:ESTABLISHED INFO: Status: Enabled for 0 days 00:04:18 Debug: Urgent State Table Total Rate current entries 24 searches 6559 25.4/s inserts 234 0.9/s removals 210 0.8/s Counters match 3296 12.8/s bad-offset 0 0.0/s fragment 0 0.0/s short 0 0.0/s normalize 0 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 0 0.0/s proto-cksum 0 0.0/s state-mismatch 0 0.0/s state-insert 1 0.0/s state-limit 0 0.0/s src-limit 0 0.0/s synproxy 0 0.0/s TIMEOUTS: tcp.first 120s tcp.opening 30s tcp.established 86400s tcp.closing 900s tcp.finwait 45s tcp.closed 90s tcp.tsdiff 30s udp.first 60s udp.single 30s udp.multiple 60s icmp.first 20s icmp.error 10s other.first 60s other.single 30s other.multiple 60s frag 30s interval 10s adaptive.start 0 states adaptive.end 0 states src.track 0s LIMITS: states hard limit 10000 src-nodes hard limit 10000 frags hard limit 5000 tables hard limit 1000 table-entries hard limit 100000 TABLES: OS FINGERPRINTS: 382 fingerprints loaded Regards Hagen Volpers
