I've noticed 62.65.145.30 in my logs quite a bit; imagine my surprise when I realized why the ip seemed familiar (insomnia.benzedrine.cx).
I'm not sure where the problem may be, google search results showed an interesting post by Daniel at http://archives.neohapsis.com/archives/openbsd/2002-03/1601.html but not much else that's useful. I'm thinking S/FSRA is a possible culprit (see the pf.conf below the logged packets) and/or a state timeout. Any other possibilities or suggestions? I'd focus on the S/FSRA but for the push and rst packets from port 113. All relevant logs over a 12 hour period. tcpdump -n -e -ttt -r /var/log/pflog | grep 62.65.145.30 Dec 17 04:22:49.509085 rule 15/0(match): pass in on we0: 62.65.145.30.10115 > 66.93.114.234.25: S 153169387:153169387(0) win 16384 <mss 1400,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 537787229 0> Dec 17 04:34:11.994148 rule 15/0(match): pass in on we0: 62.65.145.30.48708 > 66.93.114.234.25: S 2067872335:2067872335(0) win 16384 <mss 1400,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 537788595 0> Dec 17 04:54:04.734955 rule 15/0(match): pass in on we0: 62.65.145.30.14233 > 66.93.114.234.25: S 228339139:228339139(0) win 16384 <mss 1400,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 537790982 0> Dec 17 05:53:12.046579 rule 15/0(match): pass in on we0: 62.65.145.30.11949 > 66.93.114.234.25: S 3665059756:3665059756(0) win 16384 <mss 1400,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 537798078 0> Dec 17 07:45:13.406778 rule 15/0(match): pass in on we0: 62.65.145.30.6045 > 66.93.114.234.25: S 1063800861:1063800861(0) win 16384 <mss 1400,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 537811520 0> Dec 17 07:47:24.151090 rule 15/0(match): pass in on we0: 62.65.145.30.6088 > 66.93.114.234.25: S 670134939:670134939(0) win 16384 <mss 1400,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 537811775 0> Dec 17 07:50:52.508166 rule 15/0(match): pass in on we0: 62.65.145.30.4200 > 66.93.114.234.25: S 1886455985:1886455985(0) win 16384 <mss 1400,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 537812197 0> Dec 17 07:52:25.063986 rule 17/0(match): block in on we0: 62.65.145.30.113 > 66.93.114.234.25732: P 308878154:308878187(33) ack 341538861 win 16656 <nop,nop,timestamp 537811876 2479231986> Dec 17 07:53:13.971165 rule 17/0(match): block in on we0: 62.65.145.30.113 > 66.93.114.234.25732: P 0:33(33) ack 1 win 16656 <nop,nop,timestamp 537812483 2479231986> Dec 17 07:53:31.478449 rule 17/0(match): block in on we0: 62.65.145.30.113 > 66.93.114.234.35130: P 953885106:953885139(33) ack 2591819387 win 16656 <nop,nop,timestamp 537812519 2458326896> Dec 17 07:54:18.062645 rule 17/0(match): block in on we0: 62.65.145.30.113 > 66.93.114.234.25732: P 0:33(33) ack 1 win 16656 <nop,nop,timestamp 537812611 2479231986> Dec 17 07:54:35.476536 rule 17/0(match): block in on we0: 62.65.145.30.113 > 66.93.114.234.35130: P 0:33(33) ack 1 win 16656 <nop,nop,timestamp 537812647 2458326896> Dec 17 07:55:22.037016 rule 17/0(match): block in on we0: 62.65.145.30.113 > 66.93.114.234.25732: P 0:33(33) ack 1 win 16656 <nop,nop,timestamp 537812739 2479231986> Dec 17 07:55:39.476640 rule 17/0(match): block in on we0: 62.65.145.30.113 > 66.93.114.234.35130: P 0:33(33) ack 1 win 16656 <nop,nop,timestamp 537812775 2458326896> Dec 17 07:56:26.033570 rule 17/0(match): block in on we0: 62.65.145.30.113 > 66.93.114.234.25732: R 34:34(0) ack 1 win 0 Dec 17 07:56:45.790170 rule 17/0(match): block in on we0: 62.65.145.30.113 > 66.93.114.234.35130: P 0:33(33) ack 1 win 16656 <nop,nop,timestamp 537812903 2458326896> Dec 17 07:57:49.425015 rule 17/0(match): block in on we0: 62.65.145.30.113 > 66.93.114.234.35130: P 0:33(33) ack 1 win 16656 <nop,nop,timestamp 537813031 2458326896> Dec 17 07:58:51.568897 rule 17/0(match): block in on we0: 62.65.145.30.113 > 66.93.114.234.35130: P 0:33(33) ack 1 win 16656 <nop,nop,timestamp 537813159 2458326896> Dec 17 07:59:56.243277 rule 17/0(match): block in on we0: 62.65.145.30.113 > 66.93.114.234.35130: P 0:33(33) ack 1 win 16656 <nop,nop,timestamp 537813287 2458326896> Dec 17 08:00:59.474042 rule 17/0(match): block in on we0: 62.65.145.30.113 > 66.93.114.234.35130: R 34:34(0) ack 1 win 0 Dec 17 09:55:28.550016 rule 15/0(match): pass in on we0: 62.65.145.30.46634 > 66.93.114.234.25: S 2194425652:2194425652(0) win 16384 <mss 1400,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 537827151 0> Dec 17 10:02:45.731089 rule 15/0(match): pass in on we0: 62.65.145.30.1735 > 66.93.114.234.25: S 3047293502:3047293502(0) win 16384 <mss 1400,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 537828024 0> Dec 17 10:03:54.692784 rule 15/0(match): pass in on we0: 62.65.145.30.4008 > 66.93.114.234.25: S 3785119055:3785119055(0) win 16384 <mss 1400,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 537828160 0> Dec 17 10:07:38.989905 rule 17/0(match): block in on we0: 62.65.145.30.113 > 66.93.114.234.12625: P 3232723311:3232723344(33) ack 2079895142 win 16656 <nop,nop,timestamp 537828610 2853972079> Dec 17 10:08:43.096657 rule 17/0(match): block in on we0: 62.65.145.30.113 > 66.93.114.234.12625: P 0:33(33) ack 1 win 16656 <nop,nop,timestamp 537828738 2853972079> Dec 17 10:09:47.133264 rule 17/0(match): block in on we0: 62.65.145.30.113 > 66.93.114.234.12625: P 0:33(33) ack 1 win 16656 <nop,nop,timestamp 537828866 2853972079> Dec 17 10:10:51.170862 rule 17/0(match): block in on we0: 62.65.145.30.113 > 66.93.114.234.12625: P 0:33(33) ack 1 win 16656 <nop,nop,timestamp 537828994 2853972079> Dec 17 10:11:55.197753 rule 17/0(match): block in on we0: 62.65.145.30.113 > 66.93.114.234.12625: P 0:33(33) ack 1 win 16656 <nop,nop,timestamp 537829122 2853972079> Dec 17 10:12:59.211292 rule 17/0(match): block in on we0: 62.65.145.30.113 > 66.93.114.234.12625: R 34:34(0) ack 1 win 0 Dec 17 10:33:19.995002 rule 15/0(match): pass in on we0: 62.65.145.30.17282 > 66.93.114.234.25: S 3235979929:3235979929(0) win 16384 <mss 1400,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 537831689 0> Dec 17 10:43:09.523857 rule 15/0(match): pass in on we0: 62.65.145.30.28999 > 66.93.114.234.25: S 2926199692:2926199692(0) win 16384 <mss 1400,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 537832868 0> Dec 17 10:43:31.334411 rule 17/0(match): block in on we0: 62.65.145.30.17282 > 66.93.114.234.25: F 3235980005:3235980005(0) ack 4236852435 win 16800 Dec 17 10:43:33.859230 rule 17/0(match): block in on we0: 62.65.145.30.17282 > 66.93.114.234.25: F 0:0(0) ack 1 win 16800 Dec 17 10:43:38.860655 rule 17/0(match): block in on we0: 62.65.145.30.17282 > 66.93.114.234.25: F 0:0(0) ack 1 win 16800 Dec 17 10:43:48.798214 rule 17/0(match): block in on we0: 62.65.145.30.17282 > 66.93.114.234.25: F 0:0(0) ack 1 win 16800 Dec 17 10:44:08.738922 rule 17/0(match): block in on we0: 62.65.145.30.17282 > 66.93.114.234.25: F 0:0(0) ack 1 win 16800 Dec 17 10:44:48.855363 rule 17/0(match): block in on we0: 62.65.145.30.17282 > 66.93.114.234.25: F 0:0(0) ack 1 win 16800 Dec 17 10:44:49.044365 rule 17/0(match): block in on we0: 62.65.145.30.113 > 66.93.114.234.23870: P 3490191340:3490191374(34) ack 3952393096 win 16656 <nop,nop,timestamp 537833062 1941346714> Dec 17 10:45:48.713735 rule 17/0(match): block in on we0: 62.65.145.30.113 > 66.93.114.234.23870: P 0:34(34) ack 1 win 16656 <nop,nop,timestamp 537833190 1941346714> Dec 17 10:45:52.739084 rule 17/0(match): block in on we0: 62.65.145.30.17282 > 66.93.114.234.25: F 0:0(0) ack 1 win 16800 Dec 17 10:46:52.712507 rule 17/0(match): block in on we0: 62.65.145.30.113 > 66.93.114.234.23870: P 0:34(34) ack 1 win 16656 <nop,nop,timestamp 537833318 1941346714> Dec 17 10:46:56.738908 rule 17/0(match): block in on we0: 62.65.145.30.17282 > 66.93.114.234.25: F 0:0(0) ack 1 win 16800 Dec 17 10:47:56.722065 rule 17/0(match): block in on we0: 62.65.145.30.113 > 66.93.114.234.23870: P 0:34(34) ack 1 win 16656 <nop,nop,timestamp 537833446 1941346714> Dec 17 10:48:00.749969 rule 17/0(match): block in on we0: 62.65.145.30.17282 > 66.93.114.234.25: F 0:0(0) ack 1 win 16800 Dec 17 10:49:00.720584 rule 17/0(match): block in on we0: 62.65.145.30.113 > 66.93.114.234.23870: P 0:34(34) ack 1 win 16656 <nop,nop,timestamp 537833574 1941346714> Dec 17 10:49:04.745380 rule 17/0(match): block in on we0: 62.65.145.30.17282 > 66.93.114.234.25: F 0:0(0) ack 1 win 16800 Dec 17 10:50:03.392180 rule 17/0(match): block in on we0: 62.65.145.30.113 > 66.93.114.234.23870: P 0:34(34) ack 1 win 16656 <nop,nop,timestamp 537833702 1941346714> Dec 17 10:50:07.420037 rule 17/0(match): block in on we0: 62.65.145.30.17282 > 66.93.114.234.25: F 0:0(0) ack 1 win 16800 Dec 17 10:51:07.390617 rule 17/0(match): block in on we0: 62.65.145.30.113 > 66.93.114.234.23870: P 0:34(34) ack 1 win 16656 <nop,nop,timestamp 537833830 1941346714> Dec 17 10:51:11.415775 rule 17/0(match): block in on we0: 62.65.145.30.17282 > 66.93.114.234.25: F 0:0(0) ack 1 win 16800 Dec 17 10:52:11.385630 rule 17/0(match): block in on we0: 62.65.145.30.113 > 66.93.114.234.23870: R 35:35(0) ack 1 win 0 Dec 17 10:52:15.417286 rule 17/0(match): block in on we0: 62.65.145.30.17282 > 66.93.114.234.25: F 0:0(0) ack 1 win 16800 Dec 17 10:53:19.460221 rule 17/0(match): block in on we0: 62.65.145.30.17282 > 66.93.114.234.25: R 1:1(0) ack 1 win 0 Dec 17 10:56:04.428453 rule 15/0(match): pass in on we0: 62.65.145.30.46836 > 66.93.114.234.25: S 2783317572:2783317572(0) win 16384 <mss 1400,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 537834424 0> Dec 17 10:58:51.145605 rule 15/0(match): pass in on we0: 62.65.145.30.45305 > 66.93.114.234.25: S 4021750781:4021750781(0) win 16384 <mss 1400,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 537834755 0> Dec 17 11:00:59.702023 rule 15/0(match): pass in on we0: 62.65.145.30.48414 > 66.93.114.234.25: S 3164540276:3164540276(0) win 16384 <mss 1400,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 537835009 0> Dec 17 11:04:12.794014 rule 17/0(match): block in on we0: 62.65.145.30.113 > 66.93.114.234.33867: P 2817266585:2817266619(34) ack 650958279 win 16656 <nop,nop,timestamp 537835397 133945041> Dec 17 11:05:16.853189 rule 17/0(match): block in on we0: 62.65.145.30.113 > 66.93.114.234.33867: P 0:34(34) ack 1 win 16656 <nop,nop,timestamp 537835525 133945041> Dec 17 11:06:20.932405 rule 17/0(match): block in on we0: 62.65.145.30.113 > 66.93.114.234.33867: P 0:34(34) ack 1 win 16656 <nop,nop,timestamp 537835653 133945041> Dec 17 11:07:24.848725 rule 17/0(match): block in on we0: 62.65.145.30.113 > 66.93.114.234.33867: P 0:34(34) ack 1 win 16656 <nop,nop,timestamp 537835781 133945041> Dec 17 11:08:28.873874 rule 17/0(match): block in on we0: 62.65.145.30.113 > 66.93.114.234.33867: P 0:34(34) ack 1 win 16656 <nop,nop,timestamp 537835909 133945041> Dec 17 11:09:32.889779 rule 17/0(match): block in on we0: 62.65.145.30.113 > 66.93.114.234.33867: R 35:35(0) ack 1 win 0 Dec 17 11:12:08.469263 rule 15/0(match): pass in on we0: 62.65.145.30.45263 > 66.93.114.234.25: S 1310856786:1310856786(0) win 16384 <mss 1400,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 537836344 0> Current pf.conf (OpenBSD 3.4 Release & patches listed at http://www.openbsd.org/errata.html). cat /etc/pf.conf ## ## Macros ext_if = "we0" int_if = "we1" ext_ip = "66.93.114.234" int_net = "10.5.25.0/24" ## ## Tables table <rfc3330> const { 0/8, 10/8, 127/8, 169.254/16, 172.16/12, 192.0.2/24, 192.168/16 } ## ## Options set block-policy drop set loginterface $ext_if ## ## Packet Normalization scrub on $ext_if all no-df random-id reassemble tcp fragment reassemble ## ## Packet Queueing altq on $ext_if priq bandwidth 768Kb queue { q_pri, q_def } queue q_pri priority 7 queue q_def priority 1 priq(default) ## ## Packet Translation nat on $ext_if from $int_net to any -> $ext_if ## ## Packet Rules - Default block quick inet6 all block quick from no-route to any block log all ## ## Packet Rules - Loopback Interface pass quick on lo0 all ## ## Packet Rules - Internal Interface pass quick on $int_if all ## ## Packet Rules - External Interface (OUTBOUND) block out log quick on $ext_if from ! $ext_ip to any block return out quick on $ext_if from any to <rfc3330> pass out quick on $ext_if inet proto tcp all flags S/SA modulate state queue (q_def, q_pri) pass out quick on $ext_if inet proto tcp all modulate state pass out quick on $ext_if inet proto udp all keep state pass out quick on $ext_if inet proto icmp all keep state ## ## Packet Rules - External Interface (INBOUND) block in log quick on $ext_if from any to ! $ext_ip block in quick on $ext_if from <rfc3330> to any block in quick on $ext_if from 255.255.255.255/32 to any pass in quick on $ext_if inet proto icmp all icmp-type echoreq code 0 keep state pass in log quick on $ext_if inet proto tcp from any to any port smtp flags S/FSRA synproxy state queue (q_def, q_pri) block return in quick on $ext_if inet proto tcp from any to any port auth flags S/FSRA block in log quick on $ext_if all
