another reassemble tcp problem - details for PF developers

Thu, 14 Jan 2010 14:43:57 -0800 

There has been 2 recent threads mentioning problems with "reassemble tcp":
"pf: reassemble tcp"
"problems with emails through pf"

For info here is another. We solved the problem by removing this scrub.

We went from 4.3 with
scrub in all

to the latest 4.6 stable with
match in all scrub (reassemble tcp)

and bizarrely found we sometimes (~50%) couldnt FTP to several sites.
It would hang just before sending any data. This would happen about
50% of the time and work fine the rest. It may be an irrelevant
coincidence but each FTP site that this happened with was Microsoft
FTP. It never happened (ie FTP always worked fine) with other server
types. The OpenBSD firewall is running ftp-proxy. The internal client
is a linux desktop. Removing the "reassemble tcp" scrub made the
problem go away and a successful connection/download every time.

We took tcpdumps on both the internal and external interfaces of the
OpenBSD firewall/ftp-proxy.

Looking at our capture on firewall internal interface, the payload of
the first TCP packet after the handshake seems to be ignored.  I see:

  Frames 26, 28, 29:  TCP handshake
  33:  first data from server
  34:  client then immediately sends ACK to server with seq=1
  35:  last of the data from server
  36:  server attempting to close connection
  37, 38:  Client sends two ACKs in quick succession, presumably
responses to 35, 36; sequence number is still 1
  ... server retransmits, client sends same ACKs, etc. until server
gets frustrated and sends a RST

It looks like the MS FTP server is being well-behaved, but each time
some data is received, the internal linux desktop immediately replies
with an ACK denying that any data was received.  This suggests that
it's aware that it's received some packets, but is rejecting the
contents for some reason. Not sure.

Looking at the capture on firewall external interface, is pretty much
the same, except that the second data packet (corresponding to #35) is
completely missing.  This might be a red herring.

Like I said I supply this info just for curiosity. We have it working
now by removing reassemble tcp - maybe its helpful to the PF
developers, maybe not. Below is the screen output from the internal
linux desktop using lftp.

Many thanks,

Alastair Johnson







================================= NOT Working =====================
-bash-3.1$ lftp -c "open -uAAAAA,BBBBB 198.80.165.171; debug; ls"
---- Connecting to 198.80.165.171 (198.80.165.171) port 21
<--- 220 Microsoft FTP Service
---> FEAT
<--- 530 Please login with USER and PASS.
---> AUTH TLS
<--- 500 'AUTH TLS': command not understood
---> USER AAAAA
<--- 331 Password required for AAAAA.
---> PASS BBBBB
<--- 230-Welcome to Thomson Financial I/B/E/S FTP site.
<---     This site is for authorized users only.
<---     Any or all uses of this system and all files on
<---     this system are monitored, recorded, and audited.
<---     LOG OFF IMMEDIATELY if you do not agree to the
<---     conditions stated in this warning.
<--- 230 User AAAAA logged in.
---> FEAT
<--- 211-FEAT
<---     SIZE
<---     MDTM
<--- 211 END
---> PWD
<--- 257 "/" is current directory.
---> PASV
<--- 227 Entering Passive Mode (198,80,165,171,227,43)
---- Connecting data socket to (198.80.165.171) port 58155
---- Data connection established
---> LIST
<--- 125 Data connection already open; Transfer starting.
<--- 226 Transfer complete.
`ls' at 0 [Receiving data]
===================== Hang at this point ==========================



===================================== Working =====================
....snip....

<--- 230 User AAAAA logged in.
---> FEAT
<--- 211-FEAT
<---     SIZE
<---     MDTM
<--- 211 END
---> PWD
<--- 257 "/" is current directory.
---> PASV
<--- 227 Entering Passive Mode (198,80,165,171,198,136)
---- Connecting data socket to (198.80.165.171) port 50824
---- Data connection established
---> LIST
<--- 125 Data connection already open; Transfer starting.
dr-xr-xr-x   1 owner    group               0 Dec 22  2009 history
... and then more files/directories

Reply via email to