Whoops, I forgot about attachments being stripped.
$ tcpdump -nr dmz_production_if-side -vv
reading from file dmz_production_if-side, link-type EN10MB (Ethernet)
16:32:15.627327 IP (tos 0x0, ttl 63, id 49423, offset 0, flags [DF], proto:
TCP (6), length: 60) 10.10.10.150.57818 > 10.11.0.5.80: S, cksum 0x3bd9
(correct), 4232982860:4232982860(0) win 5840 <mss 1460,sackOK,timestamp
712219763 0,nop,wscale 2>
16:32:15.627423 IP (tos 0x0, ttl 128, id 22766, offset 0, flags [none], proto:
TCP (6), length: 64) 10.11.0.5.80 > 10.10.10.150.57818: S, cksum 0x934f
(correct), 49492280:49492280(0) ack 4232982861 win 16384 <mss 1460,nop,wscale
0,nop,nop,timestamp 0 0,nop,nop,sackOK>
16:32:18.628278 IP (tos 0x0, ttl 63, id 49424, offset 0, flags [DF], proto:
TCP (6), length: 60) 10.10.10.150.57818 > 10.11.0.5.80: S, cksum 0xcd5e
(correct), 4232982860:4232982860(0) win 5840 <mss 1460,sackOK,timestamp
712220513 0,nop,wscale 2>
16:32:18.833758 IP (tos 0x0, ttl 128, id 22768, offset 0, flags [none], proto:
TCP (6), length: 64) 10.11.0.5.80 > 10.10.10.150.57818: S, cksum 0x934f
(correct), 49492280:49492280(0) ack 4232982861 win 16384 <mss 1460,nop,wscale
0,nop,nop,timestamp 0 0,nop,nop,sackOK>
16:32:24.628962 IP (tos 0x0, ttl 63, id 49425, offset 0, flags [DF], proto:
TCP (6), length: 60) 10.10.10.150.57818 > 10.11.0.5.80: S, cksum 0xc782
(correct), 4232982860:4232982860(0) win 5840 <mss 1460,sackOK,timestamp
712222013 0,nop,wscale 2>
16:32:28.130462 IP (tos 0x0, ttl 128, id 22769, offset 0, flags [none], proto:
TCP (6), length: 64) 10.11.0.5.80 > 10.10.10.150.57818: S, cksum 0x934f
(correct), 49492280:49492280(0) ack 4232982861 win 16384 <mss 1460,nop,wscale
0,nop,nop,timestamp 0 0,nop,nop,sackOK>
$ tcpdump -nr int_if-side -vv host 10.11.0.5
reading from file int_if-side, link-type EN10MB (Ethernet)
16:32:15.627282 IP (tos 0x0, ttl 64, id 49423, offset 0, flags [DF], proto:
TCP (6), length: 60) 10.10.10.150.57818 > 10.11.0.5.80: S, cksum 0xd7c2
(correct), 875912572:875912572(0) win 5840 <mss 1460,sackOK,timestamp
712219763 0,nop,wscale 2>
16:32:18.628245 IP (tos 0x0, ttl 64, id 49424, offset 0, flags [DF], proto:
TCP (6), length: 60) 10.10.10.150.57818 > 10.11.0.5.80: S, cksum 0xd4d4
(correct), 875912572:875912572(0) win 5840 <mss 1460,sackOK,timestamp
712220513 0,nop,wscale 2>
16:32:24.628925 IP (tos 0x0, ttl 64, id 49425, offset 0, flags [DF], proto:
TCP (6), length: 60) 10.10.10.150.57818 > 10.11.0.5.80: S, cksum 0xcef8
(correct), 875912572:875912572(0) win 5840 <mss 1460,sackOK,timestamp
712222013 0,nop,wscale 2>
On Thursday 15 February 2007 9:07 am, Tim Kuhlman wrote:
> On Wednesday 14 February 2007 1:29 pm, Stuart Henderson wrote:
> > On 2007/02/14 11:47, Tim Kuhlman wrote:
> > > So what is happening? It seems to me that either pf is broken or his
> > > linux kernel is broken and pf is catching it. Any ideas as to which is
> > > the cause?
> >
> > Ruleset more likely. If you post it, people can make suggestions.
> > Might be useful to capture a SYN with tcpdump and post any state entries
> > relating to it, too (the relevant parts of pfctl -ss -v).
>
> So my ruleset has some problems. I took some time to work through my rules
> and re-read the state tracking section of the pf faq (which by the way is
> well done, thanks). I found what I think are a couple of problems, I needed
> to have the flags S/SA so that it paid attention to the syn packet and for
> some reason I had the state policy globally set to if-bound rather than
> floating. When I change both of those a new problem appears, routing
> between my internal network and DMZ's doesn't work.
>
> The syn packet goes through and appears to create state but the Syn/Ack
> packet isn't let back through. I thought that was it created state one way
> it was supposed to allow it back the other. Surely I am missing something
> simple.
>
> Here is the state as it appears with the new rules from a "pfctl -vvss", I
> also attached a tcpdump capture from both interfaces on the router.
>
> all tcp 10.10.10.150:49516 -> 10.11.0.5:80 ESTABLISHED:SYN_SENT
> [573330559 + 16385](+3517130307) wscale 2 [3039928992 +
> 5840](+146001125) wscale 0 age 00:00:02, expires in 00:00:28, 2:1 pkts,
> 116:64 bytes, rule 135 id: 45c74dc600234f51 creatorid: b3647a00
>
> The router has 5 interfaces and 10 ip addresses associated with it so I
> will spare you the full ruleset but here are the ones that are relevant. I
> copied the rules as they are including the extra interfaces and such.
> $DMZ_production_if is the 10.11.0.0/24 network
> $int_if is the 10.10.8.0/21 network
>
> table <int_net> const { 10.10.8.0/21, 10.8.0.0/24, 172.16.1.0/24 }
>
> pass in on { $int_if $vpn_if } proto {tcp udp icmp} from <int_net> to \
> { $DMZ_production_if:network, $DMZ_proto_if:network }
>
> pass out on { $int_if $vpn_if $ext_if $dsl_if $DMZ_production_if
> $DMZ_proto_if } proto \
> {tcp udp icmp} flags S/SA modulate state
>
> Thanks again.
--
Tim Kuhlman
Network Administrator
ColoradoVnet.com
