List Info

Thread: Having a couple of issues
Having a couple of issues
user name
 2006-11-11 20:07:43 
Hi folks,

I'm having two issues, first one is lots of these:

pf: loose state match: TCP IiP.IiP.IiP.8:52621
XiP.XiP.XiP.199:62555
80.91.229.5:119 [l
o=3269014705 high=3269020496 win=32844 modulator=4099273154
wscale=1] [lo=141076
3470 high=1410829151 win=5792 modulator=37226129 wscale=0]
9:4 R seq=3269014705
ack=1410763470 len=0 ackskew=0 pkts=87:65

sprinkeled with a few of these:

pf: BAD state: TCP IiP.IiP.IiP.8:62611 XiP.XiP.XiP.199:58398
83.143.169.1:80 [lo=408513
2808 high=4085138601 win=32768 modulator=3334704359
wscale=1] [lo=172073751 high
=172139287 win=5792 modulator=2536699106 wscale=2] 4:2 R
seq=4085132808 ack=1720
73751 len=0 ackskew=0 pkts=1:5 dir=out,fwd
pf: State failure on:         |

Also my other issue is FTP. I had FTP working before I lost
my current
ruleset due to a HD crash and decided to use ftp/pftpx from
ports.

in /var/log/messages I get a few of these show up:

Nov 11 20:01:36 ehost pftpx[46924]: #157 proxy cannot
connect to
server 64.39.2.174: Operation not permitted
Nov 11 20:01:36 ehost pftpx[46924]: #158 proxy cannot
connect to
server 192.35.244.50: Operation not permitted
Nov 11 20:01:38 ehost pftpx[46924]: #163 proxy cannot
connect to
server 213.135.44.35: Operation not permitted
Nov 11 20:01:38 ehost pftpx[46924]: #164 proxy cannot
connect to
server 212.14.28.36: Operation not permitted
Nov 11 20:01:39 ehost pftpx[46924]: #165 proxy cannot
connect to
server 212.101.4.244: Operation not permitted
Nov 11 20:01:39 ehost pftpx[46924]: #166 proxy cannot
connect to
server 193.206.140.34: Operation not permitted
Nov 11 20:01:40 ehost pftpx[46924]: #167 proxy cannot
connect to
server 66.98.251.159: Operation not permitted

which if think is related to the next part..

tcpdump -net -s0 -i pflog0 shows the packet's blocked.

Can anyone help? I'm a little rusty :(

--

% cat /etc/pf.conf

ext_if = "tun0"
prv_if = "fxp0"
lpb_if = "lo0"

#set loginterface $prv_if
set state-policy if-bound
#set skip on $lpb_if
#set debug misc

scrub in on $ext_if 
 all 
 min-ttl 100 
 no-df 
 fragment drop-ovl

scrub out on $ext_if 
 all 
 min-ttl 10 
 random-id

altq on $ext_if priq bandwidth 1Mb 
 queue { Realtime High AboveNormal Normal BelowNormal Low }
  queue Realtime priority 15 priq
  queue High priority 12 priq
  queue AboveNormal priority 9 priq
  queue Normal priority 6 priq( default )
  queue BelowNormal priority 3 priq
  queue Low priority 0 priq

no nat on $ext_if 
 inet 
 from $prv_if:network 
 to $prv_if:network

nat on $ext_if 
 inet proto { tcp udp } 
 from $prv_if:network 
 to any 
 tag prv_natted 
 -> ($ext_if:0)

nat-anchor "pftpx/*"
rdr-anchor "pftpx/*"

rdr pass on $prv_if 
 inet proto tcp 
 from $prv_if:network 
 to any port = ftp 
 -> $lpb_if:0 port ftp-proxy

block drop log on $ext_if

block return log on ! $ext_if

pass quick on $lpb_if

pass in quick on $prv_if 
 inet proto udp 
 from 0.0.0.0 port dhcpc 
 to 255.255.255.255 port dhcps

pass quick on $prv_if 
 from $prv_if:network 
 to $prv_if:network

pass in on $prv_if 
 inet proto { tcp udp } 
 from $prv_if:network 
 to ! $prv_if:network 
 flags S/SA modulate state

pass out on $ext_if 
 inet proto udp 
 from ($ext_if:0) 
 to any port = domain 
 keep state 
 queue High 
 tagged prv_natted

pass out on $ext_if 
 inet proto udp 
 from ($ext_if:0) 
 to any port = ntp 
 keep state 
 queue High

anchor "pftpx/*"

pass out on $ext_if 
 inet proto tcp 
 from ($ext_if:0) 
 to any port { http https 8008 8080 } 
 flags S/SA modulate state 
 queue Normal 
 tagged prv_natted

pass out on $ext_if 
 inet proto tcp 
 from ($ext_if:0) 
 to any port { 1863 5050 5222:5223 } 
 flags S/SA modulate state 
 queue BelowNormal 
 tagged prv_natted

pass out on $ext_if 
 inet proto tcp 
 from ($ext_if:0) 
 to any port { smtp pop3 imap nntp smtps pop3s imaps nntps }

 flags S/SA modulate state 
 queue BelowNormal 
 tagged prv_natted

pass out on $ext_if 
 inet proto tcp 
 from ($ext_if:0) 
 to any port { cvsup cvspserver } 
 flags S/SA modulate state 
 queue BelowNormal 
 tagged prv_natted

pass out on $ext_if 
 inet proto tcp 
 from ($ext_if:0) 
 to any port = ssh 
 flags S/SA modulate state 
 queue (BelowNormal High) 
 tagged prv_natted

pass out on $ext_if 
 inet proto tcp 
 from ($ext_if:0) 
 to any 
 flags S/SA modulate state 
 tagged prv_natted

antispoof for { $ext_if $prv_if $lpb_if }

# EOF

Help? I tend to think the real problem is the object between
the
screen and the chair..

-- 
Kimi
_______________________________________________
freebsd-pffreebsd.org mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"
[1]

about | contact  Other archives ( Real Estate discussion Medical topics )