On Fri, 14 Feb 2003 22:17:01 +0100 Daniel Hartmeier <[EMAIL PROTECTED]> wrote:
> > They also arive at 192.168.0.3, I can give you the tcpdump -s 1500 > > output of that if needed. > > Yes, just to check whether both cases are correct RSTs. > > > Well, I did notice something abnormal in it. I'm getting flooded with > > messages that say: > > Feb 14 18:39:04 zombie /bsd: pf_map_addr: selected address: 192.168.0.1 > > Those are harmless, you can safely ignore them. > > You mention that you see the RSTs arrive at the client in both cases. > Are you maybe running pf on the client as well? Is it maybe filtering > statefully with 'flags S', so the outgoing SYN+ECN is not creating state > and the RST is blocked on the client? > > If the RST arrives at the client, and is valid, it looks like the > problem is on the client, not the gateway. (linewrap disabled for easier readability) First of, 192.168.0.3 has pf enabled, the ruleset is: pass in all pass out all So that shouldn't be the problem. Here we go, first on the mailserver (192.168.0.3), with ECN disabled: 23:32:30.611782 192.168.0.3.20601 > 195.130.132.40.25: S [tcp sum ok] 74854948:74854948(0) win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 1954601909 0> (DF) [tos 0x10] (ttl 64, id 30491) 0000: 4510 0040 771b 4000 4006 bb36 c0a8 0003 E..@w.@.@.»6À¨.. 0010: c382 8428 5079 0019 0476 3224 0000 0000 Ã..(Py...v2$.... 0020: b002 4000 1648 0000 0204 05b4 0101 0402 °.@..H.....´.... 0030: 0103 0300 0101 080a 7480 dbb5 0000 0000 ........t.Ûµ.... 23:32:30.612034 195.130.132.40.25 > 192.168.0.3.20601: R [tcp sum ok] 0:0(0) ack 74854949 win 0 (DF) (ttl 64, id 40773) 0000: 4500 0028 9f45 4000 4006 9334 c382 8428 E..(.E@.@..4Ã..( 0010: c0a8 0003 0019 5079 0000 0000 0476 3225 À¨....Py.....v2% 0020: 5014 0000 204d 0000 0000 0000 0000 P... M........ All OK here. Now with ECN enabled: 23:39:09.432429 192.168.0.3.30785 > 195.130.132.40.25: SWE [tcp sum ok] 262876226:262876226(0) win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 1954602707 0> (DF) [tos 0x10] (ttl 64, id 26356) 0000: 4510 0040 66f4 4000 4006 cb5d c0a8 0003 E..@fô@.@.Ë]À¨.. 0010: c382 8428 7841 0019 0fab 2c42 0000 0000 Ã..(xA...«,B.... 0020: b0c2 4000 e54e 0000 0204 05b4 0101 0402 °Â@.åN.....´.... 0030: 0103 0300 0101 080a 7480 ded3 0000 0000 ........t.ÞÓ.... 23:39:09.432716 195.130.132.40.25 > 192.168.0.3.30785: R [tcp sum ok] 0:0(0) ack 262876227 win 0 (DF) (ttl 64, id 54432) 0000: 4500 0028 d4a0 4000 4006 5dd9 c382 8428 E..(Ô @.@.]ÙÃ..( 0010: c0a8 0003 0019 7841 0000 0000 0fab 2c43 À¨....xA.....«,C 0020: 5014 0000 f331 0000 0000 0000 0000 P...ó1........ 23:39:15.428479 192.168.0.3.30785 > 195.130.132.40.25: SWE [tcp sum ok] 262876226:262876226(0) win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 1954602719 0> (DF) [tos 0x10] (ttl 64, id 21325) 0000: 4510 0040 534d 4000 4006 df04 c0a8 0003 E..@SM@.@.ß.À¨.. 0010: c382 8428 7841 0019 0fab 2c42 0000 0000 Ã..(xA...«,B.... 0020: b0c2 4000 e542 0000 0204 05b4 0101 0402 °Â@.åB.....´.... 0030: 0103 0300 0101 080a 7480 dedf 0000 0000 ........t.Þß.... 23:39:15.428763 195.130.132.40.25 > 192.168.0.3.30785: R [tcp sum ok] 0:0(0) ack 1 win 0 (DF) (ttl 64, id 41759) 0000: 4500 0028 a31f 4000 4006 8f5a c382 8428 E..(£.@.@..ZÃ..( 0010: c0a8 0003 0019 7841 0000 0000 0fab 2c43 À¨....xA.....«,C 0020: 5014 0000 f331 0000 0000 0000 0000 P...ó1........ For some reason the second reset packet has an ack of 1. And this is on the gateway running pf, only for the ECN packets: 23:41:13.085143 192.168.0.3.3001 > 195.130.132.40.25: SWE [tcp sum ok] 1748781580:1748781580(0) win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 1954602989 0> (DF) [tos 0x10] (ttl 64, id 46470) 0000: 4510 0040 b586 4000 4006 7ccb c0a8 0003 E..@µ.@.@.|ËÀ¨.. 0010: c382 8428 0bb9 0019 683c 4a0c 0000 0000 Ã..(.¹..h<J..... 0020: b0c2 4000 da61 0000 0204 05b4 0101 0402 °Â@.Úa.....´.... 0030: 0103 0300 0101 080a 7480 dfed 0000 0000 ........t.ßí.... 0040: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0050: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0060: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0070: 0000 .. 23:41:13.085336 195.130.132.40.25 > 192.168.0.3.3001: R [tcp sum ok] 0:0(0) ack 1748781581 win 0 (DF) (ttl 64, id 9115) 0000: 4500 0028 239b 4000 4006 0edf c382 8428 E..(#.@.@..ßÃ..( 0010: c0a8 0003 0019 0bb9 0000 0000 683c 4a0d À¨.....¹....h<J. 0020: 5014 0000 e95e 0000 P...é^.. 23:41:19.081436 192.168.0.3.3001 > 195.130.132.40.25: SWE [tcp sum ok] 1748781580:1748781580(0) win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 1954603001 0> (DF) [tos 0x10] (ttl 64, id 62257) 0000: 4510 0040 f331 4000 4006 3f20 c0a8 0003 E..@ó1@.@.? À¨.. 0010: c382 8428 0bb9 0019 683c 4a0c 0000 0000 Ã..(.¹..h<J..... 0020: b0c2 4000 da55 0000 0204 05b4 0101 0402 °Â@.ÚU.....´.... 0030: 0103 0300 0101 080a 7480 dff9 0000 0000 ........t.ßù.... 0040: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0050: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0060: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0070: 0000 .. 23:41:19.081576 195.130.132.40.25 > 192.168.0.3.3001: R [tcp sum ok] 0:0(0) ack 1 win 0 (DF) (ttl 64, id 12305) 0000: 4500 0028 3011 4000 4006 0269 c382 8428 E..(0.@.@..iÃ..( 0010: c0a8 0003 0019 0bb9 0000 0000 683c 4a0d À¨.....¹....h<J. 0020: 5014 0000 e95e 0000 P...é^.. Also note that the second reset packet leaving here has an ack of 1, I don't know if this is legal. Between the 2 hosts is an el cheapo switch which just passes the packets, it doesn't touch their contents. Hope this helps. Thanks. // nick
