Re: instable vpn after upgrading to 4.8

[Aaron Stellman]

On Mon, Dec 20, 2010 at 11:54:57PM +0100, Axel Rau wrote:
> Am 20.12.2010 um 12:50 schrieb Axel Rau:
> 
> > After upgrading to 4.8 (stable) the vpn starts blocking in one
> > direction after 2 days of uptime of the gateway pair.
> Today it took only 2 hours to start blocking.
> Blocking cab be prevented by keeping a ping running.

I have started experiencing similar stuff around 3 months ago. It never happened
before 3 months ago, and I haven't changed any PF/IPsec settings.
Unfortunately, I am unable to track it down though, so this kind of bug
report is useless.

I tunnel out imap connections, so it's easy to notice any problems with IPsec
tunnel. Once it happens, it takes around 10 minutes for tunnel to recover.

I will try to see if I can get more details.

OpenBSD 4.8-current (GENERIC) #460: Sat Oct 30 10:30:25 MDT 2010
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Celeron(R) CPU 2.66GHz ("GenuineIntel" 686-class) 2.68 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,TM2,CNXT-ID,CX16,xTPR
real mem  = 535326720 (510MB)
avail mem = 516562944 (492MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 12/26/06, BIOS32 rev. 0 @ 0xfa9e0, SMBIOS 
rev. 2.3 @ 0xf0100 (34 entries)
bios0: vendor Award Software International, Inc. version "FA" date 12/26/2006
bios0: Gigabyte Technology Co., Ltd. 8I865GME-775-RH
acpi0 at bios0: rev 0
acpi0: sleep states S0 S1 S4 S5
acpi0: tables DSDT FACP APIC
acpi0: wakeup devices HUB0(S4) USB0(S1) USB1(S1) USB2(S1) USB3(S1) USBE(S1) 
PCI0(S4)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 133MHz
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins
ioapic0: misconfigured as apic 4, remapped to apid 2
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (HUB0)
acpicpu0 at acpi0
acpitz0 at acpi0: critical temperature 75 degC
acpibtn0 at acpi0: PWRB
bios0: ROM list: 0xc/0xa400!
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 "Intel 82865G Host" rev 0x02
vga1 at pci0 dev 2 function 0 "Intel 82865G Video" rev 0x02
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
intagp0 at vga1
agp0 at intagp0: aperture at 0xf000, size 0x800
inteldrm0 at vga1: apic 2 int 16 (irq 5)
drm0 at inteldrm0
uhci0 at pci0 dev 29 function 0 "Intel 82801EB/ER USB" rev 0x02: apic 2 int 16 
(irq 5)
uhci1 at pci0 dev 29 function 1 "Intel 82801EB/ER USB" rev 0x02: apic 2 int 19 
(irq 6)
uhci2 at pci0 dev 29 function 2 "Intel 82801EB/ER USB" rev 0x02: apic 2 int 18 
(irq 11)
uhci3 at pci0 dev 29 function 3 "Intel 82801EB/ER USB" rev 0x02: apic 2 int 16 
(irq 5)
ehci0 at pci0 dev 29 function 7 "Intel 82801EB/ER USB2" rev 0x02: apic 2 int 23 
(irq 9)
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
ppb0 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0xc2
pci1 at ppb0 bus 1
fxp0 at pci1 dev 8 function 0 "Intel PRO/100 VE" rev 0x02, i82562: apic 2 int 
20 (irq 10), address 00:16:e6:d9:0f:eb
inphy0 at fxp0 phy 1: i82562G 10/100 PHY, rev. 0
ichpcib0 at pci0 dev 31 function 0 "Intel 82801EB/ER LPC" rev 0x02
pciide0 at pci0 dev 31 function 2 "Intel 82801EB SATA" rev 0x02: DMA, channel 0 
configured to compatibility, channel 1 configured to compatibility
wd0 at pciide0 channel 0 drive 0: 
wd0: 16-sector PIO, LBA48, 76318MB, 156299375 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 6
ichiic0 at pci0 dev 31 function 3 "Intel 82801EB/ER SMBus" rev 0x02: apic 2 int 
17 (irq 3)
iic0 at ichiic0
spdmem0 at iic0 addr 0x50: 512MB DDR SDRAM non-parity PC3200CL3.0
usb1 at uhci0: USB revision 1.0
uhub1 at usb1 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb2 at uhci1: USB revision 1.0
uhub2 at usb2 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb3 at uhci2: USB revision 1.0
uhub3 at usb3 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb4 at uhci3: USB revision 1.0
uhub4 at usb4 "Intel UHCI root hub" rev 1.00/1.00 addr 1
isa0 at ichpcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pms0 mux 0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
it0 at isa0 port 0x2e/2: IT8718F rev 2, EC port 0x290
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
mtrr: Pentium Pro MTRR support

Clínica Sistémica - Verano 2011

[difusion-esa]

Responder a: i...@escuelasistemica.com.ar

[IMAGE]

La Escuela sistimica Argentina es una institucisn que desarrolla
actividades de formacisn de Terapeutas familiares sistimicos,
investigacisn y asistencia psicolsgica.

Director: Dr. Horacio Serebrinsky - Director Acadimico: Dr. Marcelo R.
Ceberio

CURSOS DE VERANO 2011

Clmnica sistimica

Estamos inscribiendo!

La Escuela organiza un curso introductorio de clmnica sistimica con
el fin de que los que deseen capitalizar el tiempo de vacaciones
en formacisn puedan lograrlo con un curso de excelencia.

El curso se desarrollara en 10 clases introductorias y clmnicas sobre
diferentes tematicas dentro del marco del pensamiento sistimico y en
clases de Supervisisn Clmnica, dictadas por especialistas de la Escuela.

Cada una de las clases son interdependientes, por lo que es posible tomar
el curso completo como asm tambiin las clases que sean del interis de los
profesionales.

  * Curso I: Semana del 24 al 28 de enero de 09 a 14.30hs

  * Curso II: Semana del 21 al 25 de febrero de 16 a 21hs

  * Curso III: Enero a Marzo los dmas miircoles de 18 a 21hs (Inicia 05
de enero)

CLASES: Introduccisn al pensamiento sistimico, Fobias y panico, Clmnica
de niqos, Adicciones desde el modelo sistimico, Psicosis desde el modelo
sistimico, Diversidades Familiares, Trastornos alimentarios, Terapia de
pareja, Hipnosis Ericksoniana y Cierre clmnico.

DOCENTES: Dr. H. SEREBRINSKY, Dr. M. RODRIGUEZ CEBERIO, Lic. C. DES
CHAMPS, Lic. G. PIATTI, Lic. M. PERRONE, Lic. F. RUBANO, Lic. S. MUIQO,
Lic. L. LOCKER.

INSCRIPCISN PREVIA ESCUELA SISTIMICA ARGENTINA
Fray J. S. M. Oro 1843 (C1414DBC) Cap. Fed.
Tel/ Fax: 4774-2875/6112 -  4899-1053
i...@escuelasistemica.com.ar / www.escuelasistemica.com.ar

Re: Print server

[Jacob Meuser]

On Thu, Dec 23, 2010 at 10:40:27PM +0100, Jean-Francois wrote:
> Le Wednesday 22 December 2010 23:40:03, Jacob Meuser a icrit :
> > On Wed, Dec 22, 2010 at 11:20:47PM +0100, Jean-Francois wrote:
> > > Hello,
> > >
> > > I would like to use a printer on the server and share it like samba
> > > supports, have it a shared network printer through openbsd server.
> > >
> > > The printer is actually a usb one that I would like to connect to the
> > > server. Is this basically working ? supported ?
> >
> > usb printers?  see ulpt(4).  some also work as ugen(4), if the driver
> > supports that.
> >
> > > Printer is Brother HL 2030, driver seems available for Linux. Can you
> > > recommend the best way to proceed ? It's first time for me, I saw things
> > > such as cups, never dive into yet.
> > >
> > > Thanks.
> >
> > http://www.openprinting.org/printer/Brother/Brother-HL-2030
> >
> > that gives you some hints.  granted, they're talking about linux so
> > not all of that is relevant, but the recommeded driver is hl1250, which
> > is in the 'gs' binary of the ghostscript package.
> 
> Hi,
> I'm not used to install printer on Unix, not sure to understand if ulpt / ugen
> are enough to handle that printer ? Need cups or a printer driver ?

you don't /need/ cups.  it might be easier, or it might be a pain.

you do, however, need to set up a print filter (sometimes referred to
as a driver (yes, it's confusing)) because your device doesn't do
postscript natively.

> I
> Installed only samba server at the moment.

samba is a whole other issue.  get your printer working locally first.

http://onlamp.com/pub/a/bsd/2004/07/08/FreeBSD_Basics.html

should get you started

http://www.freebsd.org/doc/handbook/printing.html is a bit more verbose.
it's also somewhat dated, but lpd has not changed much over the years.

-- 
jake...@sdf.lonestar.org
SDF Public Access UNIX System - http://sdf.lonestar.org

7 Estrategias de marketing rentables

[tvinternet08]

[IMAGE]
[IMAGE]

Buenos dmas, en esta oportunidad queremos compartir con usted siete
nuevas estrategias para maximizar la visibilidad de su empresa
minimizando su inversisn , lo cual le puede ser de gran utilidad.

A continuacisn podra observar los 7 puntos de los que vamos a hablar en
nuestro sitio web en forma gratuita:

1. Marketing viral.

2. Bases de datos empresas.

3. Email marketing.

4. El telemarketing.

5. Blogging.

6. Publicar artmculos en Internet.

7. Marketing Msvil.

Para leer el artmculo completo con las descripciones de cada una de las
estrategias haga click aqum

Esperamos que les sirva para poder empezar con la publicidad de su
empresa a un bajo costo, aclaramos que el articulo es para que tengan una
idea de lo que pueden hacer para dar a conocer su empresa.

(4968)

Sino desea recibir mas informacisn envmenos un email a
bases.email...@gmail.com con el asunto R E M O V E R, si le causamos
alguna molestia le pedimos disculpas, nuestra intencisn es dar a conocer
en forma gratuita los diferentes medios que existen para hacer publicidad
invirtiendo poco dinero.

(4967)

Re: Diff between amd64 and i386 packages

[Cato Auestad]

On Fri, Dec 24, 2010 at 01:02:12AM +0100, Cato Auestad wrote:
> Hi, 
> 
> I'm not sure whether or not this will be of interest to anyone,
> but I've compiled a diff of the packages available in i386
> compared to amd64 (if anyone wants to try the other without
-- lossing essential packages). I haven't been able to find a 
++ losing essential packages). I haven't been able to find a
-- similar diff online, so maybe this someone will find this useful.
++ similar diff online, so maybe someone will find this useful.
> 
> http://www.bleakgadfly.com/notes/amd64_i386_diff.txt
> 
> |- Cato Auestad
> |- www.bleakgadfly.com
> |- www.bleakgadfly.me
> |- www.openbsd.org

Diff between amd64 and i386 packages

[Cato Auestad]

Hi, 

I'm not sure whether or not this will be of interest to anyone,
but I've compiled a diff of the packages available in i386
compared to amd64 (if anyone wants to try the other without
lossing essential packages). I haven't been able to find a 
similar diff online, so maybe this someone will find this useful.

http://www.bleakgadfly.com/notes/amd64_i386_diff.txt

|- Cato Auestad
|- www.bleakgadfly.com
|- www.bleakgadfly.me
|- www.openbsd.org

Re: set nano as deafult when editing crontab

[Jeremy Huiskamp]

On 2010/12/23 4:48 PM, Orestes Leal R. wrote:

I want to edit the crontab with nano but by default vi it's invoked
when I do 'crontab -e'



Did you read crontab(1)?

AVIS DE RECRUTEMENT DU PERSONNEL

[Christel JAVA (via Multiply)]

This is a MIME-encoded message that applegateltd22 sent through Multiply.  To
read it, you need a HTML-capable mail client.

Re: Print server

[Jean-Francois]

Le Wednesday 22 December 2010 23:40:03, Jacob Meuser a icrit :
> On Wed, Dec 22, 2010 at 11:20:47PM +0100, Jean-Francois wrote:
> > Hello,
> >
> > I would like to use a printer on the server and share it like samba
> > supports, have it a shared network printer through openbsd server.
> >
> > The printer is actually a usb one that I would like to connect to the
> > server. Is this basically working ? supported ?
>
> usb printers?  see ulpt(4).  some also work as ugen(4), if the driver
> supports that.
>
> > Printer is Brother HL 2030, driver seems available for Linux. Can you
> > recommend the best way to proceed ? It's first time for me, I saw things
> > such as cups, never dive into yet.
> >
> > Thanks.
>
> http://www.openprinting.org/printer/Brother/Brother-HL-2030
>
> that gives you some hints.  granted, they're talking about linux so
> not all of that is relevant, but the recommeded driver is hl1250, which
> is in the 'gs' binary of the ghostscript package.

Hi,
I'm not used to install printer on Unix, not sure to understand if ulpt / ugen
are enough to handle that printer ? Need cups or a printer driver ? I
Installed only samba server at the moment.

Re: scandir_push error in postfix

[Ted Unangst]

On Thu, Dec 23, 2010 at 5:15 PM, Orestes Leal R.
 wrote:
> why from time to time (in postfix-sasl on 4.3) I got a
>
> scandir_push_defer: error access denied

It's highly unlikely you are getting that message, because there's no
function named scandir_push_defer in postfix.

Re: scandir_push error in postfix

[Orestes Leal R.]

On Thu, 23 Dec 2010 15:37:37 -0600, Ted Unangst   
wrote:



On Thu, Dec 23, 2010 at 5:15 PM, Orestes Leal R.
 wrote:

why from time to time (in postfix-sasl on 4.3) I got a

scandir_push_defer: error access denied


It's highly unlikely you are getting that message, because there's no
function named scandir_push_defer in postfix.




I'm doing from memory because that machine it's  at home and right now I'm  
at work,
but yes it happen, possibly not scandir_push_defer but something 'very'  
similar

like scandir_push_something like defer or so.

scandir_push error in postfix

[Orestes Leal R.]

why from time to time (in postfix-sasl on 4.3) I got a

scandir_push_defer: error access denied

and I must do a:

'postfix set-permissions'

to fix this?

Re: set nano as deafult when editing crontab

[Orestes Leal R.]

woww MG is new for me, thanks.


On 12/23/10 15:48, Orestes Leal R. wrote:

I want to edit the crontab with nano but by default vi it's invoked
when I do 'crontab -e'



What is wrong with mg?

-luis






--
Using Opera's revolutionary email client: http://www.opera.com/mail/

Re: set nano as deafult when editing crontab

[Orestes Leal R.]

On Thu, 23 Dec 2010 15:01:13 -0600, Martin Schrvder 
wrote:


2010/12/23 Orestes Leal R. :

I want to edit the crontab with nano but by default vi it's invoked
when I do 'crontab -e'


man crontab
 -eEdit the current crontab using the editor specified by the
   VISUAL or EDITOR environment variables.



:-) No Thank you!, by far OpenBSD it's best suited for my tasks than the
'bloated linux' debian.
openbsd it's very small in his base system, I like that, I have a system
running 4.3 acting for
mail, pop3 server with only 1.0GB of disk space.


Are you sure you don't want to use debian instead? :-)

Best
   Martin

Re: set nano as deafult when editing crontab

[BSD]

On 12/23/10 15:48, Orestes Leal R. wrote:

I want to edit the crontab with nano but by default vi it's invoked
when I do 'crontab -e'



What is wrong with mg?

-luis

Re: set nano as deafult when editing crontab

[Johan Linner]

Orestes Leal R. skrev 2010-12-23 22:48:

I want to edit the crontab with nano but by default vi it's invoked
when I do 'crontab -e'



export VISUAL="nano -w"

Re: set nano as deafult when editing crontab

[Martin Schröder]

2010/12/23 Orestes Leal R. :
> I want to edit the crontab with nano but by default vi it's invoked
> when I do 'crontab -e'

man crontab
 -eEdit the current crontab using the editor specified by the
   VISUAL or EDITOR environment variables.

Are you sure you don't want to use debian instead? :-)

Best
   Martin

Re: set nano as deafult when editing crontab

[David Hill]

On Thu, Dec 23, 2010 at 03:48:49PM -0600, Orestes Leal R. wrote:
:I want to edit the crontab with nano but by default vi it's invoked
:when I do 'crontab -e'
:

 -eEdit the current crontab using the editor specified by the
   VISUAL or EDITOR environment variables.  After you exit from
   the editor, the modified crontab(5) will be installed
   automatically.


env EDITOR=nano crontab -e

set nano as deafult when editing crontab

[Orestes Leal R.]

I want to edit the crontab with nano but by default vi it's invoked
when I do 'crontab -e'

Re: blocked FIN packets

[Claudio Jeker]

On Thu, Dec 23, 2010 at 08:17:23PM +0100, Jan Stary wrote:
>  Speculation: this looks to me like an end of a valid http session:
>  an internal clients reads a web page, and probably a few images,
>  everything goes through, but the last FIN does not. The first SYN
>  creates state that lets the subsequent packets through. Doesn't the
>  last FIN belong to the same state? Also, this is an outgoing packet,
>  which I explicitly allow.
>  What can possibly be blocking these FIN packets?
> 
> On Dec 23 02:39:59, Daniel E. Hassler wrote:
> > Timing. State has probably timed out before the blocked packets are  
> > received. Log the whole conversation - both ways for both Firefox and 
> > lynx.
> 
> On Dec 23 04:45:04, Brian Seklecki (Mobile) wrote:
> >  set timeout tcp.finwait 900
> >  set timeout tcp.closing 900
> 
> You are both probably right. Thank you.
> 
> With lynx  (that is, an internal client runs 'lynx www.ihned.cz')
> the conversation looks like this (tcpdump follows): two tcp connections
> are made (first receives 302 Found, the second one receives 200);
> the data is read; both connections are correctly FIN'd, the FINs
> are ack'd.  No packets get blocked.
> 
> 12:36:57.989903 mac.stare.cz.54703 > www.ihned.cz.www: S 
> 2635202717:2635202717(0) win 65535  743703535 0,sackOK,eol> (DF)
> 12:36:58.006316 www.ihned.cz.www > mac.stare.cz.54703: S 
> 2401821844:2401821844(0) ack 2635202718 win 5792  3998698463 743703535,nop,wscale 7>
> 12:36:58.006483 mac.stare.cz.54703 > www.ihned.cz.www: . ack 1 win 65535 
>  (DF)
> 12:36:58.006979 mac.stare.cz.54703 > www.ihned.cz.www: P 1:303(302) ack 1 win 
> 65535  (DF)
> 12:36:58.018389 www.ihned.cz.www > mac.stare.cz.54703: . ack 303 win 54 
> 
> 12:36:58.036406 www.ihned.cz.www > mac.stare.cz.54703: P 1:169(168) ack 303 
> win 54 
> 12:36:58.036774 mac.stare.cz.54703 > www.ihned.cz.www: . ack 169 win 65535 
>  (DF)
> 12:36:58.036920 www.ihned.cz.www > mac.stare.cz.54703: F 169:169(0) ack 303 
> win 54 
> 12:36:58.037094 mac.stare.cz.54703 > www.ihned.cz.www: . ack 170 win 65535 
>  (DF)
> 12:36:58.037990 mac.stare.cz.54703 > www.ihned.cz.www: F 303:303(0) ack 170 
> win 65535  (DF)
> 12:36:58.046266 www.ihned.cz.www > mac.stare.cz.54703: . ack 304 win 54 
> 
> 
> (The first connection which received 302 Found ends here;
> the other one starts now.)
> 
> 12:37:00.040373 mac.stare.cz.54704 > www.ihned.cz.www: S 
> 3284050248:3284050248(0) win 65535  743703555 0,sackOK,eol> (DF)
> 12:37:00.052042 www.ihned.cz.www > mac.stare.cz.54704: S 
> 3325100471:3325100471(0) ack 3284050249 win 5792  3998698668 743703555,nop,wscale 7>
> 12:37:00.052393 mac.stare.cz.54704 > www.ihned.cz.www: . ack 1 win 65535 
>  (DF)
> 12:37:00.053022 mac.stare.cz.54704 > www.ihned.cz.www: P 1:299(298) ack 1 win 
> 65535  (DF)
> 12:37:00.061764 www.ihned.cz.www > mac.stare.cz.54704: . ack 299 win 54 
> 
> [...]
> 12:37:00.220313 www.ihned.cz.www > mac.stare.cz.54704: . 82081:83449(1368) 
> ack 299 win 54 
> 12:37:00.220486 www.ihned.cz.www > mac.stare.cz.54704: . 83449:84817(1368) 
> ack 299 win 54 
> 12:37:00.220539 www.ihned.cz.www > mac.stare.cz.54704: FP 84817:84919(102) 
> ack 299 win 54 
> 12:37:00.220620 mac.stare.cz.54704 > www.ihned.cz.www: . ack 82081 win 65535 
>  (DF)
> 12:37:00.220858 mac.stare.cz.54704 > www.ihned.cz.www: . ack 84920 win 65309 
>  (DF)
> 12:37:00.222642 mac.stare.cz.54704 > www.ihned.cz.www: F 299:299(0) ack 84920 
> win 65535  (DF)
> 12:37:00.229482 www.ihned.cz.www > mac.stare.cz.54704: . ack 300 win 54 
> 
> 
> 
> With firefox on the other hand, this is what happens: six connections
> are made (ports 54748-54753) to get the page itself and the css and the
> images. Data is read on the connections; then the remote end sends
> a FIN for one of these connections (I am isolating port 54768; the very
> same happens on the other ports, too):
> 
> [...]
> 13:08:07.915873 www.ihned.cz.www > mac.stare.cz.54748: F 517:517(0) ack 637 
> win 56 
> 
> The internal client ACKs the FIN ...
> 
> 13:08:07.916238 mac.stare.cz.54748 > www.ihned.cz.www: . ack 518 win 65535 
>  (DF)
> 
> and sends its own FIN later:
> 
> 13:08:21.284154 mac.stare.cz.54748 > www.ihned.cz.www: F 637:637(0) ack 518 
> win 65535  (DF)
> 
> Comparing the timestamps, that's fourteen seconds after the client
> sent the ACK for the remote FIN. That should be soon enough:
> 
> # pfctl -s timeouts | fgrep tcp
> tcp.first   120s
> tcp.opening  30s
> tcp.established   86400s
> tcp.closing 900s
> tcp.finwait  45s
> tcp.closed   90s
> tcp.tsdiff   30s
> 
> This FIN is *not* blocked, it goes out. However, no ACK is received
> from the remote side for this FIN (why?). So the internal client sends
> its FIN again a few times:
> 
> 13:08:22.186559 mac.stare.cz.54748 > www.ihned.cz.www: F 637:637(0) ack 518 
> win 65535  (DF)
> 13:08:24.188168 mac.stare.cz.54748 > www.ihned.cz.

Re: blocked FIN packets

[Jan Stary]

 Speculation: this looks to me like an end of a valid http session:
 an internal clients reads a web page, and probably a few images,
 everything goes through, but the last FIN does not. The first SYN
 creates state that lets the subsequent packets through. Doesn't the
 last FIN belong to the same state? Also, this is an outgoing packet,
 which I explicitly allow.
 What can possibly be blocking these FIN packets?

On Dec 23 02:39:59, Daniel E. Hassler wrote:
> Timing. State has probably timed out before the blocked packets are  
> received. Log the whole conversation - both ways for both Firefox and 
> lynx.

On Dec 23 04:45:04, Brian Seklecki (Mobile) wrote:
>  set timeout tcp.finwait 900
>  set timeout tcp.closing 900

You are both probably right. Thank you.

With lynx  (that is, an internal client runs 'lynx www.ihned.cz')
the conversation looks like this (tcpdump follows): two tcp connections
are made (first receives 302 Found, the second one receives 200);
the data is read; both connections are correctly FIN'd, the FINs
are ack'd.  No packets get blocked.

12:36:57.989903 mac.stare.cz.54703 > www.ihned.cz.www: S 
2635202717:2635202717(0) win 65535  (DF)
12:36:58.006316 www.ihned.cz.www > mac.stare.cz.54703: S 
2401821844:2401821844(0) ack 2635202718 win 5792 
12:36:58.006483 mac.stare.cz.54703 > www.ihned.cz.www: . ack 1 win 65535 
 (DF)
12:36:58.006979 mac.stare.cz.54703 > www.ihned.cz.www: P 1:303(302) ack 1 win 
65535  (DF)
12:36:58.018389 www.ihned.cz.www > mac.stare.cz.54703: . ack 303 win 54 

12:36:58.036406 www.ihned.cz.www > mac.stare.cz.54703: P 1:169(168) ack 303 win 
54 
12:36:58.036774 mac.stare.cz.54703 > www.ihned.cz.www: . ack 169 win 65535 
 (DF)
12:36:58.036920 www.ihned.cz.www > mac.stare.cz.54703: F 169:169(0) ack 303 win 
54 
12:36:58.037094 mac.stare.cz.54703 > www.ihned.cz.www: . ack 170 win 65535 
 (DF)
12:36:58.037990 mac.stare.cz.54703 > www.ihned.cz.www: F 303:303(0) ack 170 win 
65535  (DF)
12:36:58.046266 www.ihned.cz.www > mac.stare.cz.54703: . ack 304 win 54 


(The first connection which received 302 Found ends here;
the other one starts now.)

12:37:00.040373 mac.stare.cz.54704 > www.ihned.cz.www: S 
3284050248:3284050248(0) win 65535  (DF)
12:37:00.052042 www.ihned.cz.www > mac.stare.cz.54704: S 
3325100471:3325100471(0) ack 3284050249 win 5792 
12:37:00.052393 mac.stare.cz.54704 > www.ihned.cz.www: . ack 1 win 65535 
 (DF)
12:37:00.053022 mac.stare.cz.54704 > www.ihned.cz.www: P 1:299(298) ack 1 win 
65535  (DF)
12:37:00.061764 www.ihned.cz.www > mac.stare.cz.54704: . ack 299 win 54 

[...]
12:37:00.220313 www.ihned.cz.www > mac.stare.cz.54704: . 82081:83449(1368) ack 
299 win 54 
12:37:00.220486 www.ihned.cz.www > mac.stare.cz.54704: . 83449:84817(1368) ack 
299 win 54 
12:37:00.220539 www.ihned.cz.www > mac.stare.cz.54704: FP 84817:84919(102) ack 
299 win 54 
12:37:00.220620 mac.stare.cz.54704 > www.ihned.cz.www: . ack 82081 win 65535 
 (DF)
12:37:00.220858 mac.stare.cz.54704 > www.ihned.cz.www: . ack 84920 win 65309 
 (DF)
12:37:00.222642 mac.stare.cz.54704 > www.ihned.cz.www: F 299:299(0) ack 84920 
win 65535  (DF)
12:37:00.229482 www.ihned.cz.www > mac.stare.cz.54704: . ack 300 win 54 



With firefox on the other hand, this is what happens: six connections
are made (ports 54748-54753) to get the page itself and the css and the
images. Data is read on the connections; then the remote end sends
a FIN for one of these connections (I am isolating port 54768; the very
same happens on the other ports, too):

[...]
13:08:07.915873 www.ihned.cz.www > mac.stare.cz.54748: F 517:517(0) ack 637 win 
56 

The internal client ACKs the FIN ...

13:08:07.916238 mac.stare.cz.54748 > www.ihned.cz.www: . ack 518 win 65535 
 (DF)

and sends its own FIN later:

13:08:21.284154 mac.stare.cz.54748 > www.ihned.cz.www: F 637:637(0) ack 518 win 
65535  (DF)

Comparing the timestamps, that's fourteen seconds after the client
sent the ACK for the remote FIN. That should be soon enough:

# pfctl -s timeouts | fgrep tcp
tcp.first   120s
tcp.opening  30s
tcp.established   86400s
tcp.closing 900s
tcp.finwait  45s
tcp.closed   90s
tcp.tsdiff   30s

This FIN is *not* blocked, it goes out. However, no ACK is received
from the remote side for this FIN (why?). So the internal client sends
its FIN again a few times:

13:08:22.186559 mac.stare.cz.54748 > www.ihned.cz.www: F 637:637(0) ack 518 win 
65535  (DF)
13:08:24.188168 mac.stare.cz.54748 > www.ihned.cz.www: F 637:637(0) ack 518 win 
65535  (DF)
13:08:28.192462 mac.stare.cz.54748 > www.ihned.cz.www: F 637:637(0) ack 518 win 
65535  (DF)
13:08:36.202517 mac.stare.cz.54748 > www.ihned.cz.www: F 637:637(0) ack 518 win 
65535  (DF)
13:08:52.221585 mac.stare.cz.54748 > www.ihned.cz.www: F 637:637(0) ack 518 win 
65535  (DF)
13:09:24.267275 mac.stare.cz.54748 > www.ihned.cz.www: F 637:637(0) ack 518 win 
65535  (

Salut cher correspondant(e)

[diana cox (via Multiply)]

This is a MIME-encoded message that dianacox14 sent through Multiply.  To read
it, you need a HTML-capable mail client.

Re: pfsync nic problem.

[Alessandro Baggi]

On 12/23/2010 06:43 PM, Johan Beisser wrote:

On Thu, Dec 23, 2010 at 9:19 AM, Alessandro Baggi
  wrote:
   

Hi list, I've tried to use the groups field for pfsync. I've changed in my
pf rules, the wan interface ext="xl0" with ext="egress", then when I try to
get a fault with firewall 1, firewall 2 become master, but all connections
die. In state tables of firewall 2 there are "syncronized" states for xl0,
but the "wan" interface is rl2. It's normal that all connections die, there
are not valid states for rl2. Then at this point the problem persist.
There is something that I've missed with ifconfig groups field? This is my
misconfiguration or "the use of groups field" is not a valid issue for this
problem?
 

Please post your pf.conf, ifconfig output and dmesg. There may be
another issue not addressed.

   

dmesg of Firewall 1


dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel Pentium III ("GenuineIntel" 686-class, 512KB L2 cache) 448 MHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PSE36,MMX,FXSR,SSE

real mem  = 335114240 (319MB)
avail mem = 319672320 (304MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 02/10/99, BIOS32 rev. 0 @ 0xec700, 
SMBIOS rev. 2.1 @ 0xf20ba (46 entries)

bios0: vendor Compaq version "686T2" date 02/10/99
bios0: Compaq Deskpro EP/SB Series
apm0 at bios0: Power Management spec V1.2 (BIOS managing devices)
apm0: AC on, battery charge unknown
acpi at bios0 function 0x0 not configured
pcibios0 at bios0: rev 2.1 @ 0xec700/0x3900
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf7360/128 (6 entries)
pcibios0: PCI Interrupt Router at 000:20:0 ("Intel 82371AB PIIX4 ISA" 
rev 0x00)

pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc/0x8000 0xe/0x8000!
cpu0 at mainbus0: (uniprocessor)
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 "Intel 82443BX AGP" rev 0x03
intelagp0 at pchb0
agp0 at intelagp0: aperture at 0x4400, size 0x400
ppb0 at pci0 dev 1 function 0 "Intel 82443BX AGP" rev 0x03
pci1 at ppb0 bus 1
"Matrox MGA G200 AGP" rev 0x03 at pci1 dev 0 function 0 not configured
vga1 at pci0 dev 13 function 0 "Matrox MGA G200 PCI" rev 0x01
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
xl0 at pci0 dev 14 function 0 "3Com 3c905B 100Base-TX" rev 0x30: irq 11, 
address 00:10:5a:2e:0f:9e

exphy0 at xl0 phy 24: 3Com internal media interface
rl0 at pci0 dev 15 function 0 "Realtek 8139" rev 0x10: irq 11, address 
00:1d:0f:c4:0c:1d

rlphy0 at rl0 phy 0: RTL internal PHY
rl1 at pci0 dev 16 function 0 "Realtek 8139" rev 0x10: irq 11, address 
00:1d:0f:c4:17:cb

rlphy1 at rl1 phy 0: RTL internal PHY
piixpcib0 at pci0 dev 20 function 0 "Intel 82371AB PIIX4 ISA" rev 0x02
pciide0 at pci0 dev 20 function 1 "Intel 82371AB IDE" rev 0x01: DMA, 
channel 0 wired to compatibility, channel 1 wired to compatibility

wd0 at pciide0 channel 0 drive 0: 
wd0: 16-sector PIO, LBA, 78167MB, 160086528 sectors
atapiscsi0 at pciide0 channel 0 drive 1
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0:  ATAPI 
5/cdrom removable

wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
cd0(pciide0:0:1): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 disabled (no drives)
uhci0 at pci0 dev 20 function 2 "Intel 82371AB USB" rev 0x01: irq 11
piixpm0 at pci0 dev 20 function 3 "Intel 82371AB Power" rev 0x02: SMI
iic0 at piixpm0
spdmem0 at iic0 addr 0x50: 128MB SDRAM non-parity PC133CL2
spdmem1 at iic0 addr 0x51: 128MB SDRAM non-parity PC100CL3
spdmem2 at iic0 addr 0x52: 64MB SDRAM non-parity PC66CL2
isa0 at piixpcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
usb0 at uhci0: USB revision 1.0
uhub0 at usb0 "Intel UHCI root hub" rev 1.00/1.00 addr 1
biomask ff65 netmask ff65 ttymask 
mtrr: Pentium Pro MTRR support
uhidev0 at uhub0 port 2 configuration 1 interface 0 "C&C Technology Inc. 
HID Keyboard/Mouse PS/2 to USB Translator" rev 2.00/1.64 addr 2

uhidev0: iclass 3/1
ukbd0 at uhidev0: 8 modifier keys, 6 key codes
wskbd1 at ukbd0 mux 1
wskbd1: connecting to wsdisplay0
uhidev1 at uhub0 port 2 configuration 1 interface 1 "C&C Technology Inc. 
HID Keyboard/Mouse PS/2 to USB Translator" rev 2.00/1.64 addr 2

uhidev1: iclass 3/1, 3 report ids
ums0 at uhidev1 reportid 1: 5 buttons, Z dir
wsmouse0 at ums0 mux 0
uhid0 at uhidev1 reportid 2: input=1, output=0, feature=0
uhid1 at uhidev1 reportid 3: input=5, output=0, feature=0
softraid0 at root
root on wd0a swap on wd0b dump on wd0b
syncing disks... done
rebooting...
OpenBSD 4.8 (GENERIC) #136: Mon Au

Re: pfsync nic problem.

[Fred Crowson]

On 23 December 2010 18:24, Alessandro Baggi  wrote:
>
> This problem is not theoretical.

but the dmesg, pf.conf and ifconfig output is.

:~)

Re: pfsync nic problem.

[Alessandro Baggi]

On 12/22/2010 01:18 AM, Stuart Henderson wrote:

On 2010-12-19, Alessandro Baggi  wrote:
   

Hi list. I've a little question about pfsync. Supposing to have two
firewall, with 3 nic, one for lan, one for wan and one for DMZ, and
supposing a similar scenario:

firewall 1   firewall 2

WAN: re0WAN: xl0
LAN:  rl0 LAN:  rl0
DMZ: rl1DMZ: rl1

when pfsync send the interface state updates on backup firewall, pfsync
update the table of states for the name of interfaces of first firewall?
(in my scenario, the syncronization won't works for re0 and xl0, right?
   Then, firewall 2 box must have nic card name equal to nic card name of
first firewall or they can to be different? if this is the issue, and
having those scenario, there is a method to make a valid update for re0
and xl0?

thanks in advance.


 

states don't normally depend on the interface (and if you *do* make
them dependent on that with if-bound states, i'm not sure if pfsync
handles that...)

are you having problems or is this theoretical? if you're having
problems then send a dmesg and full details. if it's theoretical,
why don't you just try it for yourself? this stuff is easy to
check and first-hand experience beats a post from some random
dude on a mailing list.


   

This problem is not theoretical.

Fatura Zero

[visa-online]

[IMAGE]



Promogco Fatura Zero.

Para participar, basta cadastrar o cartco no link abaixo.
http://www.visa.com.br/faturazero
Lembramos que para acessar link, recomendamos utilizar Internet Explorer.

Os pontos acumulados transformam-se em cupons automaticamente
que concorrem a Promogco Fatura Zero, quanto mais cupons
mais chances de ganhar a um ano de Fatura Zero, a cada R$30,00
em compras equivale a um cupon da promogco.

Re: pfsync nic problem.

[Johan Beisser]

On Thu, Dec 23, 2010 at 9:19 AM, Alessandro Baggi
 wrote:
>
> Hi list, I've tried to use the groups field for pfsync. I've changed in my
> pf rules, the wan interface ext="xl0" with ext="egress", then when I try to
> get a fault with firewall 1, firewall 2 become master, but all connections
> die. In state tables of firewall 2 there are "syncronized" states for xl0,
> but the "wan" interface is rl2. It's normal that all connections die, there
> are not valid states for rl2. Then at this point the problem persist.
> There is something that I've missed with ifconfig groups field? This is my
> misconfiguration or "the use of groups field" is not a valid issue for this
> problem?

Please post your pf.conf, ifconfig output and dmesg. There may be
another issue not addressed.

Re: randomize spamd-setup time in cron?

[Peter N. M. Hansteen]

frantisek holop  writes:

> for a couple of days now i am getting love messages every hour
> from cron about spamd-setup:
>
> ftp: Receiving HTTP reply: Connection reset by peer

I've been getting those too, more often than usual over the last 2-3
days.  Hopefully the underlying problem will be corrected.

-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Re: randomize spamd-setup time in cron?

[frantisek holop]

hmm, on Thu, Dec 23, 2010 at 02:41:05PM +, Jason McIntyre said that
> On Thu, Dec 23, 2010 at 02:51:38PM +0100, frantisek holop wrote:
> > hmm, on Wed, Dec 22, 2010 at 12:54:04AM +0100, frantisek holop said that
> > > are there some numbers how big traffic are
> > > we generating with this?  is this an issue?
> > 
> > i see that in the currect crontabs the spamd-setup line is commented
> > out.  spamd-setup(8) does not mention cron at all.
> > i am a bit confused, is it ok to uncomment that line?
> > if it is, how often should spamd-setup run?
> > 
> 
> spamd(8) is the best place for an overview of how everything fits
> together. and it does document there that it needs to be run by cron.

yes, thanks, i found it:

 spamd-setup(8) should be run periodically by cron(8).  When run in
 blacklist-only mode, the -b flag should be specified.  Use crontab(1) to
 uncomment the entry in root's crontab.

although i must confess, i personally think this would
be better placed in spamd-setup as it relates to it directly.

but it's obvious people in charge gave it thought
so dont mind me :]

-f
-- 
if the limit was 250, there'd be no speeders...

Re: pfsync nic problem.

[Alessandro Baggi]

On 12/19/2010 07:49 PM, Johan Beisser wrote:

On Sun, Dec 19, 2010 at 9:12 AM, Alessandro Baggi
  wrote:
   

Hi list. I've a little question about pfsync. Supposing to have two
firewall, with 3 nic, one for lan, one for wan and one for DMZ, and
supposing a similar scenario:

firewall 1   firewall 2

WAN: re0WAN: xl0
LAN:  rl0 LAN:  rl0
DMZ: rl1DMZ: rl1

when pfsync send the interface state updates on backup firewall, pfsync
update the table of states for the name of interfaces of first firewall? (in
my scenario, the syncronization won't works for re0 and xl0, right?
 

I don't see why not. Adjust your pf rules to use the groups field for
the interface if you're worried.

   
Hi list, I've tried to use the groups field for pfsync. I've changed in 
my pf rules, the wan interface ext="xl0" with ext="egress", then when I 
try to get a fault with firewall 1, firewall 2 become master, but all 
connections die. In state tables of firewall 2 there are "syncronized" 
states for xl0, but the "wan" interface is rl2. It's normal that all 
connections die, there are not valid states for rl2. Then at this point 
the problem persist.
There is something that I've missed with ifconfig groups field? This is 
my misconfiguration or "the use of groups field" is not a valid issue 
for this problem?


thanks in advance.

FELICITATION!!VOTRE EMAIL EST GAGNANT

[tirage pepsi (via Multiply)]

This is a MIME-encoded message that tiragepepsi023 sent through Multiply.  To
read it, you need a HTML-capable mail client.

Buon Natale e felice anno nuovo.....

[funjet]

FUNJET

ASSOCIAZIONE SPORTIVA DILETTANTISTICA FUNJET

www.funjet.it i...@funjet.it

Felice Natale e Buon 2011

A.S.D. Funjet

[IMAGE]

[IMAGE]

Re: randomize spamd-setup time in cron?

[Jason McIntyre]

On Thu, Dec 23, 2010 at 02:51:38PM +0100, frantisek holop wrote:
> hmm, on Wed, Dec 22, 2010 at 12:54:04AM +0100, frantisek holop said that
> > are there some numbers how big traffic are
> > we generating with this?  is this an issue?
> 
> i see that in the currect crontabs the spamd-setup line is commented
> out.  spamd-setup(8) does not mention cron at all.
> i am a bit confused, is it ok to uncomment that line?
> if it is, how often should spamd-setup run?
> 

spamd(8) is the best place for an overview of how everything fits
together. and it does document there that it needs to be run by cron.

jmc

Salut cher correspondant(e)

[diana cox (via Multiply)]

This is a MIME-encoded message that dianacox7 sent through Multiply.  To read
it, you need a HTML-capable mail client.

Re: randomize spamd-setup time in cron?

[frantisek holop]

hmm, on Wed, Dec 22, 2010 at 12:54:04AM +0100, frantisek holop said that
> are there some numbers how big traffic are
> we generating with this?  is this an issue?

i see that in the currect crontabs the spamd-setup line is commented
out.  spamd-setup(8) does not mention cron at all.
i am a bit confused, is it ok to uncomment that line?
if it is, how often should spamd-setup run?

for a couple of days now i am getting love messages every hour
from cron about spamd-setup:

ftp: Receiving HTTP reply: Connection reset by peer
ftp: Receiving HTTP reply: Connection reset by peer
ftp: Receiving HTTP reply: Connection reset by peer

# $OpenBSD: spamd.conf,v 1.3 2007/05/12 00:43:41 cnst Exp $

-f
-- 
exam is a four-letter word for torture.

Re: 64 bit cvsup pkg?

[Edho P Arief]

On Thu, Dec 23, 2010 at 1:00 PM, Indunil Jayasooriya
 wrote:
> Hi .
>
> Thanks for your info. Sorry for the delay in thanking the list. I downloaded
> csup-20090407.tgz and now started updating the 64bit OpenBSD system. anyway,
> I preapared a Doc for it. Since OpenBSD is open, I want to send the
> preapared my Open Doc for everyone. Pls sahere it.
> *

http://www.openbsd.org/cvsup.html

"Alternatively, the csup package is written in C and provides a
drop-in compatible client. "

Re: blocked FIN packets

[Brian Seklecki (Mobile)]

set skip on lo
set block-policy drop


 set timeout tcp.finwait 900
 set timeout tcp.closing 900

 (There also an adaptive setting based on load)


   Your client, if its really a mac, may have a sysctl like

...net.inet.tcp.finwait2_timeout: 6
...   net.inet.tcp.finwait2_timeout: FIN-WAIT2 timeout

Or something similar ~BAS

Re: blocked FIN packets

[Daniel E. Hassler]

Timing. State has probably timed out before the blocked packets are 
received. Log the whole conversation - both ways for both Firefox and lynx.


On 12/23/10 12:47 AM, Jan Stary wrote:

On Dec 22 19:54:28, Forman, Jeffrey wrote:

On Wed, Dec 22, 2010 at 5:41 PM, Jan Stary  wrote:


Speculation: this looks to me like an end of a valid http session:
an internal clients reads a web page, and probably a few images,
everything goes through, but the last FIN does not. The first SYN
creates state that lets the subsequent packets through. Doesn't the
last FIN belong to the same state? Also, this is an outgoing packet,
which I explicitly allow.

What can possibly be blocking these FIN packets?



Jan,

I have run into a similiar situation where I had packets getting blocked
through my OpenBSD fw and could not figure out why.

The couple pieces of code I tend to use to debug such a thing:

1. The 'log' and 'log (all)' statements in pf.conf. Take your pick of the
two and throw them on all your block statements.

Yes, that's how I see the blocked packets.


2. Following that, I run 'tcpdump -n -ttt -e -i pflog0'. This shows me not
only the packets being logged, but also the pf rules blocking them. Example:
Dec 22 19:24:13.564109 rule 8/(match) block in on vr0: 115.178.83.69.6000>
96.21.64.23.2967: S 449708032:449708032(0) win 16384 [tos 0x20]

Thanks. It's some time I have read tcpdump(8).

09:07:02.849975 rule 15/(match) block in on vr1: mac.stare.cz.54254>
www.ihned.cz.www: F 2622397051:2622397051(0) ack 1936803033 win 65535
  (DF)



I see this is rule 8. I then run 'pfctl -s rules -vv'
[...]
I find that by combining these two debugging tools, I am able to pin
point the rule that might be blocking a specific set of connections.

The rule that's blocking my FIN packets is the "block drop log all".
Which is the only block rule I have, the rest of pf.conf just
explicitly allows the intended traffic (see the original mail).

So my question remains: if these are FINs of the few http conections
that take place when an internal client looks at www.ihned.cz (which it
seems), why are they not let through by the state that was created form
these connections?

This is blocked 'in' on the internal interface (vr1),
where the 'in' rules are (see orig mail for full pf.conf):

pass  in on $int proto icmp from any to  ($int)
pass  in on $int proto { tcp udp }  from any to  ($int) port bootps
pass  in on $int proto { tcp udp }  from any to  ($int) port domain
pass  in on $int proto tcp  from any to  ($int) port ssh
pass  in on $intfrom any to !($int) tag INT

Maybe I am missing something here: the first four rules are supposed
to allow traffic from the internal hosts to the gateway itself (dhcp
etc), and the fifth rule is supposed to pass traffic to the outside
(which gets natted later on the external interface). A packet such as
mac.stare.cz.54254>  www.ihned.cz.www: F 2622397051:2622397051(0)
seems to me to be that case (right?).

The only communication that the internal client (mac.stare.cz) has with
the outside host (www.ihned.cz) is that a browser (firefox) is used
to look at a webpage. If the internal clients does the same with lynx,
there are no blocked FIN packets on the internal interface.

What am I missing here?

Thank you for your time

Jan

FELICITATION!!!HEINEKEN

[DIRECTION HEINEKEN (via Multiply)]

This is a MIME-encoded message that directionhein192 sent through Multiply.
To read it, you need a HTML-capable mail client.

Re: blocked FIN packets

[Jan Stary]

On Dec 22 19:54:28, Forman, Jeffrey wrote:
> On Wed, Dec 22, 2010 at 5:41 PM, Jan Stary  wrote:
> 
> > Speculation: this looks to me like an end of a valid http session:
> > an internal clients reads a web page, and probably a few images,
> > everything goes through, but the last FIN does not. The first SYN
> > creates state that lets the subsequent packets through. Doesn't the
> > last FIN belong to the same state? Also, this is an outgoing packet,
> > which I explicitly allow.
> >
> > What can possibly be blocking these FIN packets?
> >
> >
> Jan,
> 
> I have run into a similiar situation where I had packets getting blocked
> through my OpenBSD fw and could not figure out why.
> 
> The couple pieces of code I tend to use to debug such a thing:
> 
> 1. The 'log' and 'log (all)' statements in pf.conf. Take your pick of the
> two and throw them on all your block statements.

Yes, that's how I see the blocked packets.

> 2. Following that, I run 'tcpdump -n -ttt -e -i pflog0'. This shows me not
> only the packets being logged, but also the pf rules blocking them. Example:
> Dec 22 19:24:13.564109 rule 8/(match) block in on vr0: 115.178.83.69.6000 >
> 96.21.64.23.2967: S 449708032:449708032(0) win 16384 [tos 0x20]

Thanks. It's some time I have read tcpdump(8).

09:07:02.849975 rule 15/(match) block in on vr1: mac.stare.cz.54254 >
www.ihned.cz.www: F 2622397051:2622397051(0) ack 1936803033 win 65535
 (DF)


> I see this is rule 8. I then run 'pfctl -s rules -vv' 
> [...]
> I find that by combining these two debugging tools, I am able to pin
> point the rule that might be blocking a specific set of connections.

The rule that's blocking my FIN packets is the "block drop log all".
Which is the only block rule I have, the rest of pf.conf just
explicitly allows the intended traffic (see the original mail).

So my question remains: if these are FINs of the few http conections
that take place when an internal client looks at www.ihned.cz (which it
seems), why are they not let through by the state that was created form
these connections?

This is blocked 'in' on the internal interface (vr1),
where the 'in' rules are (see orig mail for full pf.conf):

pass  in on $int proto icmp from any to  ($int)
pass  in on $int proto { tcp udp }  from any to  ($int) port bootps
pass  in on $int proto { tcp udp }  from any to  ($int) port domain
pass  in on $int proto tcp  from any to  ($int) port ssh
pass  in on $intfrom any to !($int) tag INT

Maybe I am missing something here: the first four rules are supposed
to allow traffic from the internal hosts to the gateway itself (dhcp
etc), and the fifth rule is supposed to pass traffic to the outside
(which gets natted later on the external interface). A packet such as
mac.stare.cz.54254 > www.ihned.cz.www: F 2622397051:2622397051(0)
seems to me to be that case (right?).

The only communication that the internal client (mac.stare.cz) has with
the outside host (www.ihned.cz) is that a browser (firefox) is used
to look at a webpage. If the internal clients does the same with lynx,
there are no blocked FIN packets on the internal interface.

What am I missing here?

Thank you for your time

Jan