On Fri, Mar 13, 2009 at 10:15:06AM +, Stuart Henderson wrote:
> On 2009/03/13 10:25, Jeremie Le Hen wrote:
> >
> > It doesn't seem to be possible to disable sequence number/window
> > tracking. Does it?
>
> It's possible if you port the "sloppy" state handling code from OpenBSD..
Using 'slo
On Fri, Mar 13, 2009 at 10:25:15AM +0100, Jeremie Le Hen wrote:
> % Mar 13 08:18:52 yoda /netbsd: pf: BAD state: TCP 82.233.239.98:39225
> 82.233.239.98:39225 88.187.38.85:80 [lo=3443494040 high=3443494041 win=2048
> modulator=0] [lo=0 high=1 win=1 modulator=0] 2:0 S seq=3041360721 ack=0 len=0
On 2009/03/13 10:25, Jeremie Le Hen wrote:
>
> It doesn't seem to be possible to disable sequence number/window
> tracking. Does it?
It's possible if you port the "sloppy" state handling code from OpenBSD..
Daniel,
On Thu, Mar 12, 2009 at 04:01:38PM +0100, Daniel Hartmeier wrote:
> The following scenario would produce what you observe:
>
> 1) nmap sends a first TCP SYN to AAA.BBB.CCC.DDD with a random
> initial sequence number th_seq1
> 2) pf allows the packet out and creates a state entry
On Thu, Mar 12, 2009 at 10:13:53AM +0100, Jeremie Le Hen wrote:
> % yoda# nmap -sS AAA.BBB.CCC.DDD
> % Starting Nmap 4.65 ( http://nmap.org ) at 2009-03-12 08:00 CET
> % sendto in send_ip_packet: sendto(4, packet, 44, 0, AAA.BBB.CCC.DDD, 16) =>
> No route to host
> % Offending packet: TCP WWW.XXX
Dear list,
I'm running a firewall using pf under NetBSD 4.0.1. I've experienced a
weird problem with appear to be due to the outgoing rule:
% pass out quick all keep state
I first noticed it when I ran "nmap -sS" (uses raw sockets) and got:
% yoda# nmap -sS AAA.BBB.CCC.DDD
% Starting Nmap 4.