DragonFly BSD
DragonFly kernel List (threaded) for 2006-03
[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]

Re: pf: BAD state: TCP...


From: Max Laier <max@xxxxxxxxxxxxxx>
Date: Wed, 29 Mar 2006 20:04:17 +0200

On Wednesday 29 March 2006 19:23, David Beck wrote:
> Hello,
>
> I have problem with pf and didn't find any information that would help.
> Could you please advise on this? I wanted a simple thing, create a jail,
> and put a squid server into that. It didn't work as expected. Later I
> phased out squid and just wanted to open a TCP connection from the jail
> to the outside world. The interesting thing is that, 4 out of 10
> outgoing connection goes as expected and the rest blocks. Then I started
> to play with pf. My last attempt was that I increased the debug level,
> then I got these messages:
>
> Mar 29 19:16:15 w4 kernel: pf: State failure on: 1       | 5
> Mar 29 19:16:27 w4 kernel: pf: BAD state: TCP 10.4.0.127:2567
> OUTSIDE_IP:53042 HOST_TO_CONNECT_IP:80 [lo=2402333945 high=2402391289
> win=57344 modulator=0 wscale=0] [lo=875209420 high=875266764 win=57344
> modulator=0 wscale=0] 11:11 SA seq=1715691499 ack=2402333945 len=0
> ackskew=0 pkts=5:1 dir=in,rev
> Mar 29 19:16:27 w4 kernel: pf: State failure on: 1       | 5
> Mar 29 19:16:32 w4 kernel: pf: BAD state: TCP 10.4.0.127:2569
> OUTSIDE_IP:64910 HOST_TO_CONNECT_IP:80 [lo=516944989 high=517002333
> win=57344 modulator=0 wscale=0] [lo=3318903594 high=3318960938 win=57344
> modulator=0 wscale=0] 11:11 SA seq=2611208073 ack=516944989 len=0
> ackskew=0 pkts=3:1 dir=in,rev
> Mar 29 19:16:32 w4 kernel: pf: State failure on:   2     |   6
> Mar 29 19:16:35 w4 kernel: pf: BAD state: TCP 10.4.0.127:2569
> OUTSIDE_IP:64910 HOST_TO_CONNECT_IP:80 [lo=516944989 high=517002333
> win=57344 modulator=0 wscale=0] [lo=3318903594 high=3318960938 win=57344
> modulator=0 wscale=0] 11:11 SA seq=2611208073 ack=516944989 len=0
> ackskew=0 pkts=3:1 dir=in,rev
>
>
> I found the place in the source where these are generated, but that
> didn't help me. Any ideas?

You seem to be creating state too late.  Make sure that all stateful tcp rules 
are on the initial SYN (flags S/SA).

-- 
/"\  Best regards,                      | mlaier@xxxxxxxxxxx
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier@EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News

Attachment: pgp00004.pgp
Description: PGP signature



[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]