Hello,
On a backend we notice the following very strange behaviour:
[EMAIL PROTECTED] ~]$ nc -nv otherhost 1024
otherhost [otherhost_IP] 1024 (?) open
punt!
[EMAIL PROTECTED] ~]$ nc -nv otherhost 1024
punt!
[EMAIL PROTECTED] ~]$ nc -nv otherhost 1024
otherhost [otherhost_IP] 1024 (?) open
punt!
[EMAIL PROTECTED] ~]$ nc -nv otherhost 1024
punt!
[EMAIL PROTECTED] ~]$ nc -nv otherhost 1024
otherhost [otherhost_IP] 1024 (?) open
punt!
[EMAIL PROTECTED] ~]$ nc -nv otherhost 1024
otherhost [otherhost_IP] 1024 (?) open
^[[Ac punt!
[EMAIL PROTECTED] ~]$ nc -nv otherhost 1024
otherhost [otherhost_IP] 1024 (?) open
punt!
[EMAIL PROTECTED] ~]$ nc -nv otherhost 1024
punt!
[EMAIL PROTECTED] ~]$ nc -nv otherhost 1024
otherhost [otherhost_IP] 1024 (?) open
punt!
What seems to be the problem here, I ask? Sometimes the socket doesn't
open...
After much investigation, we found out that when the connection arrives
to the packet-filter, it's not always following through to anywhere.
Worse... sometimes after a few seconds the connection opens
I've noticed that if I disable pf, and just get an open gateway, the
packets always follow through from the backend to the otherhost, so it
seems to be related to PF.
However, if the rules weren't OK, then the connection would *always*
fail, right?
My rules start with:
set debug loud
scrub in all
pass quick on { ... interfaces with carp ... } proto carp keep state
pass quick on $pfsync_if proto pfsync keep state (no-sync)
set skip on lo0
pass quick on lo
antispoof quick log for { ... all interfaces ... }
block in quick to 224.0.0.0/8
block log all
then I have
pass in on $backend_if inet proto tcp from $backend to $otherhost port \
1024 flags S/SA keep state
pass out on $other_if inet proto tcp from $backend to $otherhost port \
1024 flags S/SA keep state
Of course it has a few other rules like allowing me to ssh to the
machine, and a few other pass' rules for other services, but the only
rule relating to $backend, $otherhost and port 1024 is this one.
Loud debug doesn't seem to provide any hints.
These lost packets don't show up on pflog
/var/log/messages complains frequently about invalid size packets...
Any suggestions?
Thanks in advance,
Rui
PS: here's a dmesg from fresh boot, with the IP on the last line
replaced by otherhost2:
OpenBSD 4.0 (GENERIC) #1107: Sat Sep 16 19:15:58 MDT 2006
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Xeon(TM) CPU 3.40GHz ("GenuineIntel" 686-class) 3.41 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,EST,CNXT-ID,CX16
cpu0: EST: strange msr value 0x0000112d0000112d
real mem = 1073258496 (1048104K)
avail mem = 971022336 (948264K)
using 4256 buffers containing 53764096 bytes (52504K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(00) BIOS, date 12/31/99, BIOS32 rev. 0 @
0xf0000, SMBIOS rev. 2.3 @ 0xec000 (73 entries)
bios0: HP ProLiant DL360 G4p
pcibios0 at bios0: rev 2.1 @ 0xf0000/0x2000
pcibios0: PCI BIOS has 7 Interrupt Routing table entries
pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 6300ESB LPC" rev
0x00)
pcibios0: PCI bus #13 is the last bus
bios0: ROM list: 0xc0000/0x8000 0xc8000/0x4000! 0xcc000/0x1000
0xcd000/0x1800 0xce800/0x1600 0xee000/0x2000!
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel E7520 MCH" rev 0x0c
ppb0 at pci0 dev 2 function 0 "Intel MCH PCIE" rev 0x0c
pci1 at ppb0 bus 13
ppb1 at pci0 dev 4 function 0 "Intel MCH PCIE" rev 0x0c
pci2 at ppb1 bus 6
ppb2 at pci2 dev 0 function 0 "Intel PCIE-PCIE" rev 0x09
pci3 at ppb2 bus 7
ppb3 at pci3 dev 1 function 0 "Pericom PI7C21P100 PCIX-PCIX" rev 0x01
pci4 at ppb3 bus 8
em0 at pci4 dev 4 function 0 "Intel PRO/1000MT QP (82546GB)" rev 0x03:
irq 5, address 00:13:21:78:0e:8c
em1 at pci4 dev 4 function 1 "Intel PRO/1000MT QP (82546GB)" rev 0x03:
irq 5, address 00:13:21:78:0e:8d
em2 at pci4 dev 6 function 0 "Intel PRO/1000MT QP (82546GB)" rev 0x03:
irq 7, address 00:13:21:78:0e:8e
em3 at pci4 dev 6 function 1 "Intel PRO/1000MT QP (82546GB)" rev 0x03:
irq 5, address 00:13:21:78:0e:8f
ppb4 at pci2 dev 0 function 2 "Intel PCIE-PCIE" rev 0x09
pci5 at ppb4 bus 10
em4 at pci5 dev 1 function 0 "Intel PRO/1000MT (82546EB)" rev 0x01: irq
5, address 00:11:0a:59:d8:6c
em5 at pci5 dev 1 function 1 "Intel PRO/1000MT (82546EB)" rev 0x01: irq
5, address 00:11:0a:59:d8:6d
ppb5 at pci0 dev 6 function 0 "Intel MCH PCIE" rev 0x0c
pci6 at ppb5 bus 3
ppb6 at pci0 dev 28 function 0 "Intel 6300ESB PCIX" rev 0x02
pci7 at ppb6 bus 2
ciss0 at pci7 dev 1 function 0 "Compaq Smart Array 64xx" rev 0x01: irq 5
ciss0: 1 LD, HW rev 1, FW 2.68/2.68
scsibus0 at ciss0: 1 targets
sd0 at scsibus0 targ 0 lun 0: <HP, LOGICAL VOLUME, 2.68> SCSI0 0/direct
fixed
sd0: 69459MB, 69459 cyl, 64 head, 32 sec, 512 bytes/sec, 142253280 sec
total
bge0 at pci7 dev 2 function 0 "Broadcom BCM5704C" rev 0x10, BCM5704 B0
(0x2100): irq 5, address 00:18:fe:89:0d:8c
brgphy0 at bge0 phy 1: BCM5704 10/100/1000baseT PHY, rev. 0
bge1 at pci7 dev 2 function 1 "Broadcom BCM5704C" rev 0x10, BCM5704 B0
(0x2100): irq 5, address 00:18:fe:89:0d:8b
brgphy1 at bge1 phy 1: BCM5704 10/100/1000baseT PHY, rev. 0
uhci0 at pci0 dev 29 function 0 "Intel 6300ESB USB" rev 0x02: irq 5
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
uhci1 at pci0 dev 29 function 1 "Intel 6300ESB USB" rev 0x02: irq 5
usb1 at uhci1: USB revision 1.0
uhub1 at usb1
uhub1: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub1: 2 ports with 2 removable, self powered
"Intel 6300ESB WDT" rev 0x02 at pci0 dev 29 function 4 not configured
"Intel 6300ESB APIC" rev 0x02 at pci0 dev 29 function 5 not configured
ehci0 at pci0 dev 29 function 7 "Intel 6300ESB USB" rev 0x02: irq 5
usb2 at ehci0: USB revision 2.0
uhub2 at usb2
uhub2: Intel EHCI root hub, rev 2.00/1.00, addr 1
uhub2: 4 ports with 4 removable, self powered
ppb7 at pci0 dev 30 function 0 "Intel 82801BA AGP" rev 0x0a
pci8 at ppb7 bus 1
vga1 at pci8 dev 3 function 0 "ATI Rage XL" rev 0x27
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
"Compaq iLO" rev 0x01 at pci8 dev 4 function 0 not configured
"Compaq iLO" rev 0x01 at pci8 dev 4 function 2 not configured
ichpcib0 at pci0 dev 31 function 0 "Intel 6300ESB LPC" rev 0x02
pciide0 at pci0 dev 31 function 1 "Intel 6300ESB IDE" rev 0x02: DMA,
channel 0 configured to compatibility, channel 1 configured to
compatibility
atapiscsi0 at pciide0 channel 0 drive 0
scsibus1 at atapiscsi0: 2 targets
cd0 at scsibus1 targ 0 lun 0: <HL-DT-ST, CD-ROM GCR-8240N, 2.03> SCSI0
5/cdrom removable
cd0(pciide0:0:0): using PIO mode 4, DMA mode 2
pciide0: channel 1 disabled (no drives)
isa0 at ichpcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pms0 mux 0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: <PC speaker>
spkr0 at pcppi0
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
biomask ef65 netmask efe5 ttymask ffe7
pctr: user-level cycle counter enabled
dkcsum: sd0 matches BIOS drive 0x80
root on sd0a
rootdev=0x400 rrootdev=0xd00 rawdev=0xd02
carp: pfsync0 demoted group carp to 129
carp: carp2 demoted group carp to 130
carp: carp3 demoted group carp to 131
carp: carp5 demoted group carp to 132
carp: carp2 demoted group carp to 131
carp: carp3 demoted group carp to 130
carp: carp5 demoted group carp to 129
carp0: ip_output failed: 65
carp4: ip_output failed: 65
carp: pfsync0 demoted group carp to 0
arp info overwritten for otherhost2 by 00:16:76:2e:cf:54 on bge1
--
+ No matter how much you do, you never do enough -- unknown
+ Whatever you do will be insignificant,
| but it is very important that you do it -- Gandhi
+ So let's do it...?
[demime 1.01d removed an attachment of type application/pgp-signature which had
a name of signature.asc]
