On Sat, Nov 11, 2006 at 11:04:25PM +0000, Kimi Ostro wrote:
> All of those messages "State failure on:"
messages are like this:
>
> Nov 10 15:40:24 ehost kernel: pf: State failure on:
|
>
> which doesn't help I guess?
>
> more here:
>
> Nov 10 15:40:24 ehost kernel: pf: BAD state: TCP
IiP.IiP.IiP.8:54188
> XiP.XiP.XiP.199:56092 66.35.250.150:80 [lo=3278961269
high=3278967062
> win=32768 modulator=2503785894 wscale=1] [lo=164575658
high=164641194
> win=5792 modulator=2389911175 wscale=2] 4:2 R
seq=3278961269
> ack=164575658 len=0 ackskew=0 pkts=1:4 dir=out,fwd
> Nov 10 15:40:24 ehost kernel: pf: State failure on:
|
These are caused by on off-by-one in pf's state tracking for
one special
case: when an RST is sent during the handshake (i.e. SYN,
SYN+ACK, RST),
pf compares the sequence number in the RST exactly, and is
off by one,
blocking the RST.
This is recognizable by the strange "State failure
on:" line with no
digits (the digit(s) indicate the reason why the state match
failed, in
this specific case, and this case only, there is no digit
printed).
It was recently fixed in OpenBSD, IIRC post-4.0. The fix is
easy to
port. But I have to wonder why this shows up repeatedly just
now.
Who are those clients aborting their handshake with RST, and
why are
they doing it? If the RST is properly passed, it's not like
you end up
with a working connection, it's aborted. And if they don't
intend to
complete the handshake, why start it? Some silly form of
port scanning?
WTF? 
Daniel
_______________________________________________
freebsd-pf freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"
|