freebsd stable - Jul 2007 - Seems like pf skips some packets.

Hi

  On my machine with FreeBSD 6.2-STABLE #4 I noticed there are
  outgoing packets from net 192.168.0.0/16 on external interface

  Some details:
  Here 1 < a,b,c,d,e,f < 254
  

~> ifconfig internal
internal: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        options=4b<RXCSUM,TXCSUM,VLAN_MTU,POLLING>
        inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
        ether 00:04:23:b0:53:ca
        media: Ethernet autoselect (1000baseTX <full-duplex>)
        status: active
~> ifconfig external
external: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        options=48<VLAN_MTU,POLLING>
        inet a.b.c.22 netmask 0xfffffffc broadcast a.b.c.23
        ether 00:02:b3:4c:83:6e
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active

~> grep -v '^#' /etc/pf.conf | grep mynet
table <mynet> { 192.168.0.0/16, 172.16.0.0/16 }
        
~> sudo pfctl -s a | less
No ALTQ support in kernel
ALTQ related functions disabled
TRANSLATION RULES:
nat on external inet from <mynet> to ! <mynet> -> a.b.d.240/28
bitmask
rdr on external inet proto tcp from any to a.b.e.1 port = ftp -> 192.168.0.2
port 21
rdr on external inet proto udp from any to a.b.e.1 port = 4127 -> 192.168.0.2
port 4127
rdr on external inet proto tcp from any to a.b.e.1 port = 4899 -> 192.168.0.2
port 4899
rdr on external inet proto tcp from any to a.b.c.22 port = 4022 ->
172.16.56.57 port 22

FILTER RULES:
pass in all
pass out all
pass out quick on external inet from a.b.c.20/30 to any
pass out quick on external inet from a.b.d.224/27 to any
pass out quick on external inet from a.b.e.0/24 to any
block drop out on external all

STATES:
#a lot of states

INFO:
Status: Enabled for 0 days 11:06:40           Debug: Urgent

Hostid: 0x2055eb8b

State Table                          Total             Rate
  current entries                     4182
  searches                       250779576         6269.5/s
  inserts                          1877065           46.9/s
  removals                         1872883           46.8/s
Counters
  match                          165990128         4149.8/s
  bad-offset                             0            0.0/s
  fragment                              15            0.0/s
  short                                  2            0.0/s
  normalize                              0            0.0/s
  memory                                 0            0.0/s
  bad-timestamp                          0            0.0/s
  congestion                             0            0.0/s
  ip-option                           4550            0.1/s
  proto-cksum                            0            0.0/s
  state-mismatch                      6233            0.2/s
  state-insert                           0            0.0/s
  state-limit                            0            0.0/s
  src-limit                              0            0.0/s
  synproxy                               0            0.0/s

TIMEOUTS:
tcp.first                    30s
tcp.opening                   5s
tcp.established           18000s
tcp.closing                  60s
tcp.finwait                  30s
tcp.closed                   30s
tcp.tsdiff                   10s
udp.first                    60s
udp.single                   30s
udp.multiple                 60s
icmp.first                   20s
icmp.error                   10s
other.first                  60s
other.single                 30s
other.multiple               60s
frag                          5s
interval                      2s
adaptive.start                0 states
adaptive.end                  0 states
src.track                     0s

LIMITS:
states     hard limit  50000
src-nodes  hard limit  30000
frags      hard limit  50000

TABLES:
mynet

OS FINGERPRINTS:
348 fingerprints loaded


Here I try to catch packets on external interface:

~> sudo tcpdump -ni external src net 192.168.0.0/16
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on external, link-type EN10MB (Ethernet), capture size 96 bytes
12:59:44.401906 IP 192.168.56.152.1090 > 64.12.31.180.5190: . ack 1528988903
win 0
12:59:44.401921 IP 192.168.12.43.60481 > 81.19.88.11.80: . ack 2815867423 win
0
12:59:44.401933 IP 192.168.46.101.1650 > 81.176.76.116.80: . ack 669974985
win 0
12:59:44.401946 IP 192.168.54.12.2124 > 194.145.212.35.80: . ack 2208596276
win 0
12:59:44.401958 IP 192.168.22.10.1510 > 194.67.45.129.80: . ack 1166126606
win 0
12:59:44.401971 IP 192.168.46.101.1652 > 81.19.80.2.80: . ack 1004425830 win
0
12:59:44.401983 IP 192.168.38.79.63441 > 66.102.11.164.80: . ack 1120457487
win 0
12:59:44.401995 IP 192.168.54.71.1578 > 87.248.217.79.80: . ack 2473371997
win 0
12:59:44.402022 IP 192.168.38.49.4183 > 65.54.195.188.80: . ack 964472648 win
0
12:59:44.402041 IP 192.168.42.90.60363 > 66.249.93.91.80: . ack 2862783680
win 0
12:59:44.402055 IP 192.168.46.46.58867 > 89.188.102.70.80: . ack 2523375288
win 0
12:59:44.402075 IP 192.168.38.16.1222 > 208.166.56.114.80: . ack 0 win 0
12:59:44.402087 IP 192.168.60.38.2050 > 66.235.180.76.8080: . ack 2443543023
win 0
12:59:49.400160 IP 192.168.42.124.1313 > 81.222.128.13.80: . ack 1468803329
win 0
12:59:49.400176 IP 192.168.42.124.1312 > 81.222.128.13.80: . ack 1482657113
win 0
12:59:49.400190 IP 192.168.42.124.1314 > 81.19.80.2.80: . ack 1518361964 win
0
12:59:49.400202 IP 192.168.42.124.1315 > 217.16.26.60.80: . ack 2295931572
win 0
12:59:49.400218 IP 192.168.22.10.1510 > 194.67.45.129.80: . ack 1 win 0
12:59:49.400229 IP 192.168.42.124.1311 > 81.222.128.13.80: . ack 1477893358
win 0
12:59:49.400242 IP 192.168.42.60.61035 > 203.75.40.14.21: . ack 2868867767
win 0
12:59:49.400255 IP 192.168.42.124.1309 > 194.67.23.108.80: . ack 2813951723
win 0
12:59:49.400269 IP 192.168.38.16.1311 > 88.85.78.58.80: . ack 3157990844 win
0
12:59:49.400281 IP 192.168.38.79.63441 > 66.102.11.164.80: . ack 1 win 0
12:59:49.400318 IP 192.168.11.118.2487 > 213.180.214.31.80: . ack 0 win 0
12:59:49.400331 IP 192.168.52.33.64997 > 193.192.41.2.80: . ack 69990011 win
0
12:59:49.400352 IP 192.168.24.16.1047 > 64.12.31.144.5190: . ack 2248286157
win 0
12:59:49.400371 IP 192.168.60.38.2057 > 66.235.180.76.8080: . ack 2458160570
win 0
12:59:49.400383 IP 192.168.38.16.1222 > 208.166.56.114.80: . ack 1 win 0
^C
28 packets captured
45864 packets received by filter
0 packets dropped by kernel

Why these packets weren't translated by pf nat rules or filtered by pf
block rule?

Note they appear once in five seconds. Tried to modify frag parameter,
but this didn't help. Also I noticed they all have ACK bit set.

Thank you.
  

-- 
                         mailto:adler@smtp.ru
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 456 bytes
Desc: not available
Url :
http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20070712/5f899d03/attachment.pgp

On 7/12/07, Alexey Sopov <adler@smtp.ru> wrote:
>   Hi
>
>   On my machine with FreeBSD 6.2-STABLE #4 I noticed there are
>   outgoing packets from net 192.168.0.0/16 on external interface
>
>   Some details:
>   Here 1 < a,b,c,d,e,f < 254
>
>
> ~> ifconfig internal
> internal: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>         options=4b<RXCSUM,TXCSUM,VLAN_MTU,POLLING>
>         inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
>         ether 00:04:23:b0:53:ca
>         media: Ethernet autoselect (1000baseTX <full-duplex>)
>         status: active
> ~> ifconfig external
> external: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>         options=48<VLAN_MTU,POLLING>
>         inet a.b.c.22 netmask 0xfffffffc broadcast a.b.c.23
>         ether 00:02:b3:4c:83:6e
>         media: Ethernet autoselect (100baseTX <full-duplex>)
>         status: active
>
> ~> grep -v '^#' /etc/pf.conf | grep mynet
> table <mynet> { 192.168.0.0/16, 172.16.0.0/16 }
>
> ~> sudo pfctl -s a | less
> No ALTQ support in kernel
> ALTQ related functions disabled
> TRANSLATION RULES:
> nat on external inet from <mynet> to ! <mynet> ->
a.b.d.240/28 bitmask
> rdr on external inet proto tcp from any to a.b.e.1 port = ftp ->
192.168.0.2 port 21
> rdr on external inet proto udp from any to a.b.e.1 port = 4127 ->
192.168.0.2 port 4127
> rdr on external inet proto tcp from any to a.b.e.1 port = 4899 ->
192.168.0.2 port 4899
> rdr on external inet proto tcp from any to a.b.c.22 port = 4022 ->
172.16.56.57 port 22
>
> FILTER RULES:
> pass in all
> pass out all
> pass out quick on external inet from a.b.c.20/30 to any
> pass out quick on external inet from a.b.d.224/27 to any
> pass out quick on external inet from a.b.e.0/24 to any
> block drop out on external all
>
> STATES:
> #a lot of states
>
> INFO:
> Status: Enabled for 0 days 11:06:40           Debug: Urgent
>
> Hostid: 0x2055eb8b
>
> State Table                          Total             Rate
>   current entries                     4182
>   searches                       250779576         6269.5/s
>   inserts                          1877065           46.9/s
>   removals                         1872883           46.8/s
> Counters
>   match                          165990128         4149.8/s
>   bad-offset                             0            0.0/s
>   fragment                              15            0.0/s
>   short                                  2            0.0/s
>   normalize                              0            0.0/s
>   memory                                 0            0.0/s
>   bad-timestamp                          0            0.0/s
>   congestion                             0            0.0/s
>   ip-option                           4550            0.1/s
>   proto-cksum                            0            0.0/s
>   state-mismatch                      6233            0.2/s
>   state-insert                           0            0.0/s
>   state-limit                            0            0.0/s
>   src-limit                              0            0.0/s
>   synproxy                               0            0.0/s
>
> TIMEOUTS:
> tcp.first                    30s
> tcp.opening                   5s
> tcp.established           18000s
> tcp.closing                  60s
> tcp.finwait                  30s
> tcp.closed                   30s
> tcp.tsdiff                   10s
> udp.first                    60s
> udp.single                   30s
> udp.multiple                 60s
> icmp.first                   20s
> icmp.error                   10s
> other.first                  60s
> other.single                 30s
> other.multiple               60s
> frag                          5s
> interval                      2s
> adaptive.start                0 states
> adaptive.end                  0 states
> src.track                     0s
>
> LIMITS:
> states     hard limit  50000
> src-nodes  hard limit  30000
> frags      hard limit  50000
>
> TABLES:
> mynet
>
> OS FINGERPRINTS:
> 348 fingerprints loaded
>
>
> Here I try to catch packets on external interface:
>
> ~> sudo tcpdump -ni external src net 192.168.0.0/16
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on external, link-type EN10MB (Ethernet), capture size 96 bytes
> 12:59:44.401906 IP 192.168.56.152.1090 > 64.12.31.180.5190: . ack
1528988903 win 0
> 12:59:44.401921 IP 192.168.12.43.60481 > 81.19.88.11.80: . ack
2815867423 win 0
> 12:59:44.401933 IP 192.168.46.101.1650 > 81.176.76.116.80: . ack
669974985 win 0
> 12:59:44.401946 IP 192.168.54.12.2124 > 194.145.212.35.80: . ack
2208596276 win 0
> 12:59:44.401958 IP 192.168.22.10.1510 > 194.67.45.129.80: . ack
1166126606 win 0
> 12:59:44.401971 IP 192.168.46.101.1652 > 81.19.80.2.80: . ack 1004425830
win 0
> 12:59:44.401983 IP 192.168.38.79.63441 > 66.102.11.164.80: . ack
1120457487 win 0
> 12:59:44.401995 IP 192.168.54.71.1578 > 87.248.217.79.80: . ack
2473371997 win 0
> 12:59:44.402022 IP 192.168.38.49.4183 > 65.54.195.188.80: . ack
964472648 win 0
> 12:59:44.402041 IP 192.168.42.90.60363 > 66.249.93.91.80: . ack
2862783680 win 0
> 12:59:44.402055 IP 192.168.46.46.58867 > 89.188.102.70.80: . ack
2523375288 win 0
> 12:59:44.402075 IP 192.168.38.16.1222 > 208.166.56.114.80: . ack 0 win 0
> 12:59:44.402087 IP 192.168.60.38.2050 > 66.235.180.76.8080: . ack
2443543023 win 0
> 12:59:49.400160 IP 192.168.42.124.1313 > 81.222.128.13.80: . ack
1468803329 win 0
> 12:59:49.400176 IP 192.168.42.124.1312 > 81.222.128.13.80: . ack
1482657113 win 0
> 12:59:49.400190 IP 192.168.42.124.1314 > 81.19.80.2.80: . ack 1518361964
win 0
> 12:59:49.400202 IP 192.168.42.124.1315 > 217.16.26.60.80: . ack
2295931572 win 0
> 12:59:49.400218 IP 192.168.22.10.1510 > 194.67.45.129.80: . ack 1 win 0
> 12:59:49.400229 IP 192.168.42.124.1311 > 81.222.128.13.80: . ack
1477893358 win 0
> 12:59:49.400242 IP 192.168.42.60.61035 > 203.75.40.14.21: . ack
2868867767 win 0
> 12:59:49.400255 IP 192.168.42.124.1309 > 194.67.23.108.80: . ack
2813951723 win 0
> 12:59:49.400269 IP 192.168.38.16.1311 > 88.85.78.58.80: . ack 3157990844
win 0
> 12:59:49.400281 IP 192.168.38.79.63441 > 66.102.11.164.80: . ack 1 win 0
> 12:59:49.400318 IP 192.168.11.118.2487 > 213.180.214.31.80: . ack 0 win
0
> 12:59:49.400331 IP 192.168.52.33.64997 > 193.192.41.2.80: . ack 69990011
win 0
> 12:59:49.400352 IP 192.168.24.16.1047 > 64.12.31.144.5190: . ack
2248286157 win 0
> 12:59:49.400371 IP 192.168.60.38.2057 > 66.235.180.76.8080: . ack
2458160570 win 0
> 12:59:49.400383 IP 192.168.38.16.1222 > 208.166.56.114.80: . ack 1 win 0
> ^C
> 28 packets captured
> 45864 packets received by filter
> 0 packets dropped by kernel
>
> Why these packets weren't translated by pf nat rules or filtered by pf
> block rule?
>
> Note they appear once in five seconds. Tried to modify frag parameter,
> but this didn't help. Also I noticed they all have ACK bit set.
>
> Thank you.
What is the date of your build (uname -a).   There was a commit
recently to fix fragmented packets w/ hardware checksums
http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/contrib/pf/net/pf_norm.c.diff?r1=1.11.2.4;r2=1.11.2.5;only_with_tag=RELENG_6

Maybe you just need to cvsup and build a new kernel / world?

Scott

While thinking about why it happens once in 5 seconds and has only ACK bit
set, I tried to check some timeout variables and found interesting
thing.

These lines are in /etc/pf.conf:
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }

And this I get from pfctl -s timeouts:
TIMEOUTS:
tcp.first                    30s
tcp.opening                   5s
tcp.established           18000s
tcp.closing                  60s
tcp.finwait                  30s
tcp.closed                   30s
tcp.tsdiff                   10s
udp.first                    60s
udp.single                   30s
udp.multiple                 60s
icmp.first                   20s
icmp.error                   10s
other.first                  60s
other.single                 30s
other.multiple               60s
frag                          5s
interval                      2s
adaptive.start                0 states
adaptive.end                  0 states
src.track                     0s

Setting are loaded in pf via /etc/rc.d/pf start

Why do these things differ?

P.S. Sorry for my English.

-- 
 Alexey                           mailto:adler@smtp.ru

Fresh news.

I've noticed all unblocked packets have tcp window suggestion set to 0
(zero). I tried to block these packets on external interface:
~>sudo ipfw add 10 deny log tcp from 192.168.0.0/16 to any via external out
tcpwin 0
This rule is the first rule in ipfw.

Then I looked for such packets and I found them :(
~>sudo tcpdump -ni external src net 192.168.0.0/16
 15:17:57.603899 IP 192.168.38.36.4649 > 88.212.196.77.80: . ack 727205372
win 0
15:17:57.603960 IP 192.168.54.106.3388 > 217.65.2.62.80: . ack 0 win 0
 15:17:57.603974 IP 192.168.38.36.4647 > 87.250.251.11.80: . ack 1795114833
win 0
15:17:57.603987 IP 192.168.32.96.2263 > 205.188.1.136.5190: . ack 1459514474
win 0
 15:17:57.604015 IP 192.168.24.92.4049 > 194.186.121.81.80: . ack 1712730130
win 0
15:17:57.604028 IP 192.168.56.100.2934 > 194.67.23.206.80: . ack 0 win 0
15:17:57.604041 IP 192.168.48.33.3314 > 81.19.66.19.80: . ack 1697432479 win
0
 15:17:57.604053 IP 192.168.24.92.4040 > 194.186.121.82.80: . ack 1951624102
win 0
15:17:57.604066 IP 192.168.16.35.2298 > 69.147.108.254.443: . ack 3953269109
win 0
15:17:57.604078 IP 192.168.11.143.60431 > 194.186.121.77.80: . ack 4068897542
win 0
15:17:57.604092 IP 192.168.9.18.60492 > 64.12.31.176.5190: . ack 3864640183
win 0
 15:17:57.604104 IP 192.168.24.18.60660 > 81.222.128.13.80: . ack 456936114
win 0
 15:17:57.604117 IP 192.168.24.18.60659 > 81.222.128.13.80: . ack 457633387
win 0
15:17:57.604129 IP 192.168.48.33.3316 > 88.212.196.77.80: . ack 3294547611
win 0
15:17:57.604142 IP 192.168.48.33.3317 > 88.212.196.77.80: . ack 407383482 win
0
15:17:57.604155 IP 192.168.38.36.4645 > 194.67.45.129.80: . ack 450309387 win
0
15:17:57.604167 IP 192.168.48.33.3318 > 194.67.45.98.80: . ack 2013143653 win
0
15:17:57.604180 IP 192.168.50.44.34589 > 213.155.151.142.80: . ack 1954703640
win 0
15:17:57.604191 IP 192.168.42.85.4027 > 216.178.38.78.80: . ack 1861099043
win 0

And I looked into security log to see whether they are simmilar (lines
prefixed with space are common):
~>sudo less /var/log/security
Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.16.35:2290
216.109.127.6:443 out via external
Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.52.20:1636
81.177.16.60:80 out via external
Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.9.17:3403
217.106.230.137:80 out via external
Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.48.33:3318
194.67.45.98:80 out via external
Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.42.85:4027
216.178.38.78:80 out via external
Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.56.169:1801
194.67.23.108:80 out via external
Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.16.35:2298
69.147.108.254:443 out via external
 Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.38.36:4649
88.212.196.77:80 out via external
Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.42.85:4027
216.178.38.78:80 out via external
 Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.38.36:4647
87.250.251.11:80 out via external
Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.16.35:2298
69.147.108.254:443 out via external
 Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.24.92:4049
194.186.121.81:80 out via external
 Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.24.92:4040
194.186.121.82:80 out via external
Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.38.36:4645
194.67.45.129:80 out via external
 Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.24.18:60660
81.222.128.13:80 out via external
 Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.24.18:60659
81.222.128.13:80 out via external
Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.16.35:2083
194.67.23.109:80 out via external
Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.56.73:1075
85.112.114.78:22273 out via external
Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.56.73:1078
85.112.114.77:22273 out via external
Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.16.35:2283
194.67.23.109:80 out via external
Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.16.35:2272
194.67.23.109:80 out via external
Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.22.103:1054
216.195.54.170:80 out via external
Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.16.35:2299
217.146.179.200:443 out via external
Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.16.35:2299
217.146.179.200:443 out via external
Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.42.85:4069
193.108.95.55:80 out via external

I have two questioins now:
1. Why there are denied outgoing packets on external interface?
2. Why ipfw skips some tcp packets with (tcpwin 0) and I see them only
with tcpdump?

-- 
                            mailto:adler@smtp.ru