ACKs create separate state

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

ACKs create separate state

Axel Rau
Hello,

this rule:

@189 pass in quick on enc0 inet proto tcp from <f2_all_nets:5> to 192.168.223.200 port = 601 \
 flags S/FSRA tag VPN_DMZ1
@190 pass in quick on enc0 inet6 proto tcp from <f2_all_nets:5> to abcd:2222:3333:4444::200 port = 601 \
 flags S/FSRA tag VPN_DMZ1

(expanded from
  pass in quick on enc0 proto tcp from <f2_all_nets>  to $loghost \
                port $port_rsyslog tag VPN_DMZ1 $tcp_options_floating)

does not work (no block message).

There seems to be a separate state for ACKs:

20:34:47.222627 1234:56:78:9a::81.63783 > abcd:2222:3333:4444::200.601: S \
 [tcp sum ok] 3045515540:3045515540(0) win 65535 \
 <mss 1440,nop,wscale 6,sackOK,timestamp 4047232668 0> [flowlabel 0xe1575] \
 (len 40, hlim 62)
20:34:47.223345 abcd:2222:3333:4444::200.601 > 1234:56:78:9a::81.63783: S \
 [tcp sum ok] 3961027930:3961027930(0) ack 3045515541 win 65535 \
 <mss 1440,nop,wscale 6,sackOK,timestamp 3982283807 4047232668> \
 [flowlabel 0x87d5a] (len 40, hlim 64)
20:34:48.247490 abcd:2222:3333:4444::200.601 > 1234:56:78:9a::81.63783: S \
 [tcp sum ok] 3961027930:3961027930(0) ack 3045515541 win 65535 \
 <mss 1440,nop,wscale 6,sackOK,timestamp 3982284831 4047232668> [class 0x5] \
  [flowlabel 0x87d5a] (len 40, hlim 64)
20:34:49.308485 abcd:2222:3333:4444::200.601 > 1234:56:78:9a::81.63782: S \
 [tcp sum ok] 4229674314:4229674314(0) ack 405776979 win 65535 \
 <mss 1440,nop,wscale 6,sackOK,timestamp 709374688 1681817866> [class 0x5] \
 [flowlabel 0xbb54a] (len 40, hlim 64)
20:34:50.467695 abcd:2222:3333:4444::200.601 > 1234:56:78:9a::81.63783: S \
 [tcp sum ok] 3961027930:3961027930(0) ack 3045515541 win 65535 \
 <mss 1440,nop,wscale 6,sackOK,timestamp 3982287052 4047232668> [class 0x5] \
 [flowlabel 0x87d5a] (len 40, hlim 64)
20:34:53.561599 abcd:2222:3333:4444::200.601 > 1234:56:78:9a::81.63782: S \
 [tcp sum ok] 4229674314:4229674314(0) ack 405776979 win 65535 \
 <mss 1440,nop,wscale 6,sackOK,timestamp 709378941 1681817866> \
 [flowlabel 0xbb54a] (len 40, hlim 64)
20:34:54.701715 abcd:2222:3333:4444::200.601 > 1234:56:78:9a::81.63783: S \
 [tcp sum ok] 3961027930:3961027930(0) ack 3045515541 win 65535 \
 <mss 1440,nop,wscale 6,sackOK,timestamp 3982291286 4047232668> [class 0x5] \
 [flowlabel 0x87d5a] (len 40, hlim 64)
20:35:16.492774 1234:56:78:9a::81.63803 > abcd:2222:3333:4444::200.601: S \
 [tcp sum ok] 3229177067:3229177067(0) win 65535 \
 <mss 1440,nop,wscale 6,sackOK,timestamp 3700208506 0> \
 [flowlabel 0x88963] (len 40, hlim 62)
20:35:16.493295 abcd:2222:3333:4444::200.601 > 1234:56:78:9a::81.63803: S \
 [tcp sum ok] 1160594675:1160594675(0) ack 3229177068 win 65535 \
 <mss 1440,nop,wscale 6,sackOK,timestamp 3615173800 3700208506> [class 0x1] \
 [flowlabel 0xd44f3] (len 40, hlim 64)
20:35:17.549712 abcd:2222:3333:4444::200.601 > 1234:56:78:9a::81.63803: S \
 [tcp sum ok] 1160594675:1160594675(0) ack 3229177068 win 65535 \
 <mss 1440,nop,wscale 6,sackOK,timestamp 3615174857 3700208506> \
 [flowlabel 0xd44f3] (len 40, hlim 64)

What the hell is going on here?

Axel
---
PGP-Key: CDE74120  ☀  computing @ chaos claudius


signature.asc (919 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: ACKs create separate state

Axel Rau


Am 09.12.2019 um 22:07 schrieb Axel Rau <[hidden email]>:

There seems to be a separate state for ACKs:

The origin of the problem seems to be at the other side of the link
(abcd:2222:3333:4444::200,a FreeBSD 12.1 box).
Everything is dual stack. When I block IPv6, everything works.
Why does this happen with some clients with other not (all in the same subnets)?
This is not application specific, but the above host is always the server.

This points me at the OpenBSD firewall side.
There is another firewall at the other end of the VPN.

I have a flow extracted and I attach both the OpenBSD 6.6 side (gw1)
and the FreeBSD side (db3) as text files.

Clueless:
Axel



---
PGP-Key: CDE74120  ☀  computing @ chaos claudius


gw1.32404 (3K) Download Attachment
db3.32404 (4K) Download Attachment
signature.asc (919 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: ACKs create separate state

Axel Rau
It seems to be missing IPv6 route to the sender.
When I play with ping6 from the source to the target, after a while the pings go through.
From that point, the pings in the opposite direction also go through and every works.

IPv6 comes to gw1 via the VPN.
When enc0 comes up, a IPv6 default route is set to localhost by ifstated:

state vpn_reachable {
        init {
                run "pkill -HUP syslogd"
                run "/sbin/route add -inet6 default localhost"
                run "/sbin/sysctl -w net.inet6.ip6.forwarding=1"
                run "/usr/sbin/rad"
                run "sleep 5"
                run "date | mail -s 'Firewall State Change: vpn_reachable' root"
        }
        if ($carp_unknown)
                run "sleep 5"
        if ($carp_down)
                set-state auto
        if (! $vpn_up)
                set-state vpn_failed
}

Please advice improvements!

Thanks, Axel

> Am 10.12.2019 um 11:13 schrieb Axel Rau <[hidden email]>:
>
>
>
>> Am 09.12.2019 um 22:07 schrieb Axel Rau <[hidden email]>:
>>
>> There seems to be a separate state for ACKs:
>
> The origin of the problem seems to be at the other side of the link
> (abcd:2222:3333:4444::200,a FreeBSD 12.1 box).
> Everything is dual stack. When I block IPv6, everything works.
> Why does this happen with some clients with other not (all in the same subnets)?
> This is not application specific, but the above host is always the server.
>
> This points me at the OpenBSD firewall side.
> There is another firewall at the other end of the VPN.
>
> I have a flow extracted and I attach both the OpenBSD 6.6 side (gw1)
> and the FreeBSD side (db3) as text files.
>
> Clueless:
> Axel
> <gw1.32404>
> <db3.32404>
>
> ---
> PGP-Key: CDE74120  ☀  computing @ chaos claudius
>
---
PGP-Key: CDE74120  ☀  computing @ chaos claudius


signature.asc (919 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

[RESOLVED] --was: Re: ACKs create separate state

Axel Rau


Am 10.12.2019 um 19:56 schrieb Axel Rau <[hidden email]>:

It seems to be missing IPv6 route to the sender.
When I play with ping6 from the source to the target, after a while the pings go through.
From that point, the pings in the opposite direction also go through and every works.

After startup, the routingtable shows entries like this:

2a05:bec0:26:2::70                 0c:c4:7a:ce:9e:90       UHLc
2a05:bec0:26:2::71                 link#1                  UHLc

The 2nd one is an alias address for the 1st one (a jail on a FreeBSD box).

After ping6 to this 2nd address, it looks as expected:

fw1# ping6 2a05:bec0:26:2::71
2a05:bec0:26:2::70                 0c:c4:7a:ce:9e:90       UHLc
2a05:bec0:26:2::71                 0c:c4:7a:ce:9e:90       UHLc

The reason for this misbehaviour was that I disabled auto linklocal
(-auto_linklocal in rc.conf) on the FreeBSD box.

Axel

---
PGP-Key: CDE74120  ☀  computing @ chaos claudius


signature.asc (919 bytes) Download Attachment