why is pf reseting this ssh connection?

Sat, 14 Nov 2009 09:20:20 -0800 

I'm consistently getting a RST packet, but I can't figure out why?

# tcpdump -nettti pflog0 
tcpdump: listening on pflog0, link-type PFLOG
Nov 14 11:42:20.408301 rule 62/(match) pass in on vlan4: 10.0.4.6.53255 >
10.0.1.24.22: [|tcp] (DF)
Nov 14 11:42:20.408407 rule 34/(match) pass out on vlan1: 10.0.4.6.53255
> 10.0.1.24.22: [|tcp] (DF)
Nov 14 11:42:20.550409 rule 43/(match) pass in on vlan1: 10.0.1.24.36875
> 10.0.2.2.53:[|domain] (DF)
Nov 14 11:42:20.550514 rule 47/(match) pass out on vlan2: 10.0.1.24.36875
> 10.0.2.2.53:[|domain] (DF)
Nov 14 11:42:21.754224 rule 57/(match) pass in on vlan3: 10.0.3.104.123 >
17.151.16.21.123: v4 client strat 3 poll 6 prec -20
Nov 14 11:42:53.614950 rule 47/(match) pass out on vlan2:
96.253.91.225.4814 > 10.0.2.2.53:[|domain]
Nov 14 11:42:57.672970 rule 0/(match) block in on vlan1: 10.0.1.20.2001 >
255.255.255.255.37: udp 0
Nov 14 11:43:06.344155 rule 0/(match) block in on vlan3: [|ip6]
Nov 14 11:43:25.756063 rule 57/(match) pass in on vlan3: 10.0.3.104.123 >
17.151.16.21.123: v4 client strat 3 poll 6 prec -20
Nov 14 11:43:38.740956 rule 0/(match) block in on vlan4: 10.0.4.6.53255 >
10.0.1.24.22: [|tcp] (DF) [tos 0x10]
^C

Note: I pressed return in the SSH shell at 11:43:38

Running Ethereal on 10.0.4.6, I can see the SSH packet from
10.0.4.6:53255 --> 10.0.1.24:22 followed immediately by a RST packet from
10.0.1.24:22 --> 10.0.4.6:53255

The thing that confuses me is that:
- 10.0.4.6 has no trouble maintaining SSH connection to another hosts in
the 10.0.1.0\24 network
- other hosts in the 10.0.1.0\24 network have no trouble maintaining SSH
connection with 10.0.1.24

# pfctl -vvs rules                                  
@0 scrub in on gem0 all fragment reassemble
[ Evaluations: 1893945   Packets: 22091     Bytes: 10427870    States:
0     ]
[ Inserted: uid 0 pid 26797 ]
@0 block return log all
[ Evaluations: 5467      Packets: 946       Bytes: 67688       States:
0     ]
[ Inserted: uid 0 pid 26797 ]
<snip>
@34 pass out log quick on vlan1 inet proto tcp from 10.0.4.6 to
10.0.1.0/24 port = ssh flags S/SA keep state
[ Evaluations: 82        Packets: 1430      Bytes: 193425      States:
1     ]
[ Inserted: uid 0 pid 26797 ]
<snip>
@62 pass in log quick on vlan4 inet from 10.0.4.0/24 to any flags S/SA
keep state
[ Evaluations: 635       Packets: 22817     Bytes: 13187743    States:
4     ]
[ Inserted: uid 0 pid 26797 ]
<snip>

Any ideas?

PS: I'm running OpenBSD 4.2 - CARP is configured, but the other machine
is powered down

Thanks,
Kent

Reply via email to