I'm still having this reset problem. Looking at the logs below, the reset seems to coming from the session being blocked (the last log), but why would PF block the session when it accepted the session about 70 seconds before (the first 2 logs)?
Since Ethereal shows that the SSH client is not trying to establish a new session, it seems that PF must have lost-track that it had already accepted this session... What is really weird is that it only happens when SSH-ing to this host (10.0.1.24), connections to a host (10.0.1.22) right next to it on the same subnet stay up all the time Again, this is with OBSD 4.2 Any ideas? Thanks, Kent Kent Watsen wrote: I'm consistently getting a RST packet, but I can't figure out why? # tcpdump -nettti pflog0 tcpdump: listening on pflog0, link-type PFLOG Nov 14 11:42:20.408301 rule 62/(match) pass in on vlan4: 10.0.4.6.53255 > 10.0.1.24.22: [|tcp] (DF) Nov 14 11:42:20.408407 rule 34/(match) pass out on vlan1: 10.0.4.6.53255 > 10.0.1.24.22: [|tcp] (DF) Nov 14 11:42:20.550409 rule 43/(match) pass in on vlan1: 10.0.1.24.36875 > 10.0.2.2.53:[|domain] (DF) Nov 14 11:42:20.550514 rule 47/(match) pass out on vlan2: 10.0.1.24.36875 > 10.0.2.2.53:[|domain] (DF) Nov 14 11:42:21.754224 rule 57/(match) pass in on vlan3: 10.0.3.104.123 > 17.151.16.21.123: v4 client strat 3 poll 6 prec -20 Nov 14 11:42:53.614950 rule 47/(match) pass out on vlan2: 96.253.91.225.4814 > 10.0.2.2.53:[|domain] Nov 14 11:42:57.672970 rule 0/(match) block in on vlan1: 10.0.1.20.2001 > 255.255.255.255.37: udp 0 Nov 14 11:43:06.344155 rule 0/(match) block in on vlan3: [|ip6] Nov 14 11:43:25.756063 rule 57/(match) pass in on vlan3: 10.0.3.104.123 > 17.151.16.21.123: v4 client strat 3 poll 6 prec -20 Nov 14 11:43:38.740956 rule 0/(match) block in on vlan4: 10.0.4.6.53255 > 10.0.1.24.22: [|tcp] (DF) [tos 0x10] ^C Note: I pressed return in the SSH shell at 11:43:38 Running Ethereal on 10.0.4.6, I can see the SSH packet from 10.0.4.6:53255 --> 10.0.1.24:22 followed immediately by a RST packet from 10.0.1.24:22 --> 10.0.4.6:53255 The thing that confuses me is that: - 10.0.4.6 has no trouble maintaining SSH connection to another hosts in the 10.0.1.0\24 network - other hosts in the 10.0.1.0\24 network have no trouble maintaining SSH connection with 10.0.1.24 # pfctl -vvs rules @0 scrub in on gem0 all fragment reassemble [ Evaluations: 1893945 Packets: 22091 Bytes: 10427870 States: 0 ] [ Inserted: uid 0 pid 26797 ] @0 block return log all [ Evaluations: 5467 Packets: 946 Bytes: 67688 States: 0 ] [ Inserted: uid 0 pid 26797 ] <snip> @34 pass out log quick on vlan1 inet proto tcp from 10.0.4.6 to 10.0.1.0/24 port = ssh flags S/SA keep state [ Evaluations: 82 Packets: 1430 Bytes: 193425 States: 1 ] [ Inserted: uid 0 pid 26797 ] <snip> @62 pass in log quick on vlan4 inet from 10.0.4.0/24 to any flags S/SA keep state [ Evaluations: 635 Packets: 22817 Bytes: 13187743 States: 4 ] [ Inserted: uid 0 pid 26797 ] <snip> Any ideas? PS: I'm running OpenBSD 4.2 - CARP is configured, but the other machine is powered down Thanks, Kent
