more pf strangeness

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

more pf strangeness

julf
Hi again...

I am seeing some strange stuff in my pf log.

My situation:

- OpenBSD firewall, with 3 interfaces (OpenBSD 4.8 GENERIC.RAID#0 i386)
    - rl0, with address 82.171.180.235, connecting to ADSL modem
    - xl0, with address 172.24.42.2, connecting to my internal
      network, from where I ssh in from host Desk.home (172.24.42.123)
    - xl2, with address 172.24.44.1, connecting to controller (172.24.44.89)

Here is my pf.conf:

ext_if = "rl0"
int_if = "xl0"
nomans_if = "xl2"
vpn_if=tun0

remote = "{ fie.fue.com }"
box = "172.24.44.89"
desktop = "172.24.42.123"
dnshost = "172.24.42.86"

block log
pass out

set skip on lo

block in log quick inet6
block out log quick inet6

pass in log quick on $int_if proto tcp from $desktop to self port ssh allow-opts

match out on egress inet from !(egress) to any nat-to (egress:0)

pass in log on $nomans_if

pass in on $nomans_if from $box to $remote

pass in log on egress inet proto tcp from $remote to (egress) port \
    { www, 8080, tftp } rdr-to $box synproxy state

pass in on $int_if proto udp from $dnshost port domain to $box

pass in quick on $int_if proto udp from $dnshost port domain to self

pass in log on $int_if proto tcp from any to $box port www
pass in log on $int_if proto tcp from any to $box port 8080

# OpenVPN

pass in log on $int_if inet proto udp from any to self port 1194
pass in log on $vpn_if


OK, so running tcpdump -l -vv -s 500 -e -ttt -i pflog0

I see some strange log entries. First:

Feb 16 16:44:00.890130 rule 0/(match) [uid 0, pid 6229] block out
 on xl0: 172.24.42.2.ssh > Desk.home.60894: P [tcp sum ok]
 3315589246:3315589294(48) ack 504174100 win 2172
 <nop,nop,timestamp 3753377080 234844077> [tos 0x10]
 (ttl 64, id 23287, len 100, bad cksum 14! differs by 72cb)

So despite ssh connection working OK, I still get occasional
(but regular) blocked ssh packets.

Second:

Feb 16 16:44:38.484106 rule def/(short) [uid 0, pid 0] pass
 out on xl2: fie.fue.com.44445 > 172.24.44.89.0: [udp sum ok]
 udp 16 (DF) (ttl 43, id 0, len 44, bad cksum a33e! differs by 100)

So for some reason I see a misformed, short packet going *out*
of the firewall, but not coming in.

Any ideas?

        Julf

Reply | Threaded
Open this post in threaded view
|

Re: more pf strangeness

Loganaden Velvindron-3
This might be due to a broken TCP/IP offload engine.
I saw this while hacking mclgeti for xl(4). Can you
provide me with the dmesg ? I have 3 of those xl(4)
adapters, and I could help here.

//Logan
C-x-C-c

Reply | Threaded
Open this post in threaded view
|

Re: more pf strangeness

julf
In reply to this post by julf
An update...

> Feb 16 16:44:38.484106 rule def/(short) [uid 0, pid 0] pass
>  out on xl2: fie.fue.com.44445 > 172.24.44.89.0: [udp sum ok]
>  udp 16 (DF) (ttl 43, id 0, len 44, bad cksum a33e! differs by 100)
>
> So for some reason I see a misformed, short packet going *out*
> of the firewall, but not coming in.

Even changing network cards (from xl to re) didn't change the
situation - still seeing "(short)" packets logged going out
(but not coming in).

        Julf