Am 14.12.2006 um 17:10 schrieb Daniel Hartmeier:
, I'm still getting lots of warning like this one:
---------------------------------------------------------------------
Dec 14 11:16:47 pf: loose state match: TCP \
aaa.bbb.ccc.ddd:25 aaa.bbb.ccc.ddd:25 66.35.250.225:53336 \
[lo=3396551343 high=3396616878 win=5840 modulator=874376751] \
[lo=3752913744 high=3752919543 win=65535 modulator=3189448930] \
9:9 R seq=3396551343 ack=3752913744 len=0 ackskew=0 pkts=8:10
For RSTs, the sequence number in the packet must match a value
precisely, I suspect this is not the case here. Unfortunately, what is
logged is not the actual sequence number of the packet.
Try to capture one such connection with tcpdump -nvvvS, from
initial SYN
to the blocked RST, only consisting of packets that match this
connection.
I suspect the sender of the RST is incrementing the sequence number in
the RST inappropriately, or such. Hard to tell without a trace.
A fancy thing happened here: After rebooting both pfsynced firewalls
simultaneously, all "loose state match" warnings have gone away.
No single such warning in 24 hours.
Should I use "-F all" while reloading the config and see such state
warnings?
Last thing, I changed before reboot was changing tcp.closed from 1
back to its default.
Axel
---------------------------------------------------------------------
Axel Rau, ☀Frankfurt , Germany +49 69 9514 18 0
