Hi! Thank you for the quick answer! I have tried what you said, and I experienced that, when pf was not enabled, then everything went fine (I couldn't see any connection in TIME_WAIT state with netstat -n (I think the state was removed pretty fast). Could you explain to me, why this happened?
2 consecutive hping test give the following results with pf and without pf(hping -c 1 -s 60002 -S -p 22 1.2.3.4) (destination was my openbsd's ssh port) Without PF: hping -c 1 -s 60002 -S -p 22 1.2.3.4 14:18:08.729160 00:0c:f1:6b:31:d9 > 00:e0:18:c4:b7:68, ethertype IPv4 (0x0800), length 54: IP 1.2.3.5.60002 > 1.2.3.4.22: S 1101736515:1101736515(0) win 512 14:18:08.729449 00:e0:18:c4:b7:68 > 00:0c:f1:6b:31:d9, ethertype IPv4 (0x0800), length 60: IP 1.2.3.4.22 > 1.2.3.5.60002: S 4118501604:4118501604(0) ack 1101736516 win 16384 <mss 1460> 14:18:08.729458 00:0c:f1:6b:31:d9 > 00:e0:18:c4:b7:68, ethertype IPv4 (0x0800), length 54: IP 1.2.3.5.60002 > 1.2.3.4.22: R 1101736516:1101736516(0) win 0 hping -c 1 -s 60002 -S -p 22 1.2.3.4 14:18:10.247320 00:0c:f1:6b:31:d9 > 00:e0:18:c4:b7:68, ethertype IPv4 (0x0800), length 54: IP 1.2.3.5.60002 > 1.2.3.4.22: S 1568181478:1568181478(0) win 512 14:18:10.247565 00:e0:18:c4:b7:68 > 00:0c:f1:6b:31:d9, ethertype IPv4 (0x0800), length 60: IP 1.2.3.4.22 > 1.2.3.5.60002: S 2956670909:2956670909(0) ack 1568181479 win 16384 <mss 1460> 14:18:10.247574 00:0c:f1:6b:31:d9 > 00:e0:18:c4:b7:68, ethertype IPv4 (0x0800), length 54: IP 1.2.3.5.60002 > 1.2.3.4.22: R 1568181479:1568181479(0) win 0 With PF: hping -c 1 -s 60002 -S -p 22 1.2.3.4 14:16:48.379903 00:0c:f1:6b:31:d9 > 00:e0:18:c4:b7:68, ethertype IPv4 (0x0800), length 54: IP 1.2.3.5.60002 > 1.2.3.4.22: S 1809653489:1809653489(0) win 512 14:16:48.381907 00:e0:18:c4:b7:68 > 00:0c:f1:6b:31:d9, ethertype IPv4 (0x0800), length 60: IP 1.2.3.4.22 > 1.2.3.5.60002: S 3965240421:3965240421(0) ack 1809653490 win 16384 <mss 1460> 14:16:48.381918 00:0c:f1:6b:31:d9 > 00:e0:18:c4:b7:68, ethertype IPv4 (0x0800), length 54: IP 1.2.3.5.60002 > 1.2.3.4.22: R 1809653490:1809653490(0) win 0 hping -c 1 -s 60002 -S -p 22 1.2.3.4 14:16:49.545931 00:0c:f1:6b:31:d9 > 00:e0:18:c4:b7:68, ethertype IPv4 (0x0800), length 54: IP 1.2.3.5.60002 > 1.2.3.4.22: S 432383509:432383509(0) win 512 Thank you for your help! Tamas -----Original Message----- From: Daniel Hartmeier [mailto:[EMAIL PROTECTED] Sent: 2005. december 12. 16:31 To: Németh Tamás Cc: pf@benzedrine.cx Subject: Re: stucked connection (missing rst??) On Mon, Dec 12, 2005 at 03:56:18PM +0100, Németh Tamás wrote: > Is this communication invalid? Is it against rfc? Yes, it violates the TCP RFC 793, see sections "Knowing When to Keep Quiet" and "The TCP Quiet Time Concept" starting on page 27 of http://www.faqs.org/rfcs/rfc793.html The concept of the quiet period is not specific to pf, but to TCP in general. Even if you'd disable pf, you'd most likely notice that your second hping SYN would not elicit a second SYN+ACK from the recipient, as the recipient's TCP/IP stack also keeps a record of the first (reset) connection with a TIME_WAIT (or CLOSED) state (try netstat -n on the recipient). Daniel
smime.p7s
Description: S/MIME cryptographic signature