Most of your BAD state messages are of the form
pf: BAD state: TCP X.X.129.45:80 X.X.129.45:80 X.X.246.205:1771
[lo=4006379205 high=4006444151 win=17424 modulator=0]
[lo=2523483440 high=2523483440 win=65535 modulator=0] 4:4 A
seq=2523483440 (2523483440) ack=4006379205 len=1452 ackskew=0
pkts=17:34 dir=out,rev
pf: State failure on: 1 |
The browser (client) opened a connection to the web server, and with
this packet, the server is returning data.
The client has a receiving window of 65535 bytes (the size of its read
buffer). The server can send data only until that buffer is full. Then
it must wait for the client to drain the buffer and acknowledge that it
is ready to receive more data.
In your case, the client window is full (lo=high=2523483440, yet the
server is trying to send further data (seq=2523483440 + len=1452), which
is not allowed.
Either the web server is violating TCP (because of a bug in its TCP/IP
stack, or due to some form of throughput "optimization"), or, more
likely, you have built yourself a setup where this pf box is not seeing
all packets sent from client to server. I see pfsync log messages, too.
If there is any form of load-balancing, or if there are multiple links
or paths between client and server, you have to make sure that all
packets of the same TCP connection flow through the same pf box.
Otherwise stateful filtering breaks, and it could look like what you're
seeing.
Try to capture a single TCP connection (with tcpdump on all relevant
interfaces of the pf box) from handshake to the point where the BAD
state message occurs (include the BAD state message, too).
Daniel
