RE: stucked connection (missing rst??)

Németh Tamás Tue, 13 Dec 2005 06:42:43 -0800

Hi! 

Thank you for the quick answer! 
I have tried what you said, and I experienced that, when pf was not enabled,
then everything went fine (I couldn't see any connection in TIME_WAIT state
with netstat -n (I think the state was removed pretty fast).
Could you explain to me, why this happened?


2 consecutive hping test give the following results with pf and without
pf(hping -c 1 -s 60002 -S -p 22 1.2.3.4) (destination was my openbsd's ssh
port)
Without PF:
hping -c 1 -s 60002 -S -p 22 1.2.3.4
14:18:08.729160 00:0c:f1:6b:31:d9 > 00:e0:18:c4:b7:68, ethertype IPv4
(0x0800), length 54: IP 1.2.3.5.60002 > 1.2.3.4.22: S
1101736515:1101736515(0) win 512
14:18:08.729449 00:e0:18:c4:b7:68 > 00:0c:f1:6b:31:d9, ethertype IPv4
(0x0800), length 60: IP 1.2.3.4.22 > 1.2.3.5.60002: S
4118501604:4118501604(0) ack 1101736516 win 16384 <mss 1460>
14:18:08.729458 00:0c:f1:6b:31:d9 > 00:e0:18:c4:b7:68, ethertype IPv4
(0x0800), length 54: IP 1.2.3.5.60002 > 1.2.3.4.22: R
1101736516:1101736516(0) win 0

hping -c 1 -s 60002 -S -p 22 1.2.3.4
14:18:10.247320 00:0c:f1:6b:31:d9 > 00:e0:18:c4:b7:68, ethertype IPv4
(0x0800), length 54: IP 1.2.3.5.60002 > 1.2.3.4.22: S
1568181478:1568181478(0) win 512
14:18:10.247565 00:e0:18:c4:b7:68 > 00:0c:f1:6b:31:d9, ethertype IPv4
(0x0800), length 60: IP 1.2.3.4.22 > 1.2.3.5.60002: S
2956670909:2956670909(0) ack 1568181479 win 16384 <mss 1460>
14:18:10.247574 00:0c:f1:6b:31:d9 > 00:e0:18:c4:b7:68, ethertype IPv4
(0x0800), length 54: IP 1.2.3.5.60002 > 1.2.3.4.22: R
1568181479:1568181479(0) win 0


With PF:
hping -c 1 -s 60002 -S -p 22 1.2.3.4
14:16:48.379903 00:0c:f1:6b:31:d9 > 00:e0:18:c4:b7:68, ethertype IPv4
(0x0800), length 54: IP 1.2.3.5.60002 > 1.2.3.4.22: S
1809653489:1809653489(0) win 512
14:16:48.381907 00:e0:18:c4:b7:68 > 00:0c:f1:6b:31:d9, ethertype IPv4
(0x0800), length 60: IP 1.2.3.4.22 > 1.2.3.5.60002: S
3965240421:3965240421(0) ack 1809653490 win 16384 <mss 1460>
14:16:48.381918 00:0c:f1:6b:31:d9 > 00:e0:18:c4:b7:68, ethertype IPv4
(0x0800), length 54: IP 1.2.3.5.60002 > 1.2.3.4.22: R
1809653490:1809653490(0) win 0

hping -c 1 -s 60002 -S -p 22 1.2.3.4
14:16:49.545931 00:0c:f1:6b:31:d9 > 00:e0:18:c4:b7:68, ethertype IPv4
(0x0800), length 54: IP 1.2.3.5.60002 > 1.2.3.4.22: S 432383509:432383509(0)
win 512

Thank you for your help! 
Tamas


-----Original Message-----
From: Daniel Hartmeier [mailto:[EMAIL PROTECTED] 
Sent: 2005. december 12. 16:31
To: Németh Tamás
Cc: pf@benzedrine.cx
Subject: Re: stucked connection (missing rst??)

On Mon, Dec 12, 2005 at 03:56:18PM +0100, Németh Tamás wrote:

> Is this communication invalid? Is it against rfc?

Yes, it violates the TCP RFC 793, see sections "Knowing When to Keep
Quiet" and "The TCP Quiet Time Concept" starting on page 27 of

  http://www.faqs.org/rfcs/rfc793.html

The concept of the quiet period is not specific to pf, but to TCP in
general. Even if you'd disable pf, you'd most likely notice that your
second hping SYN would not elicit a second SYN+ACK from the recipient,
as the recipient's TCP/IP stack also keeps a record of the first (reset)
connection with a TIME_WAIT (or CLOSED) state (try netstat -n on the
recipient).

Daniel

smime.p7s
Description: S/MIME cryptographic signature

RE: stucked connection (missing rst??)

Reply via email to