Hi folks,
I'm having two issues, first one is lots of these:
pf: loose state match: TCP IiP.IiP.IiP.8:52621 XiP.XiP.XiP.199:62555
80.91.229.5:119 [l
o=3269014705 high=3269020496 win=32844 modulator=4099273154 wscale=1] [lo=141076
3470 high=1410829151 win=5792 modulator=37226129 wscale=0] 9:4 R seq=3269014705
ack=1410763470 len=0 ackskew=0 pkts=87:65
sprinkeled with a few of these:
pf: BAD state: TCP IiP.IiP.IiP.8:62611 XiP.XiP.XiP.199:58398
83.143.169.1:80 [lo=408513
2808 high=4085138601 win=32768 modulator=3334704359 wscale=1] [lo=172073751 high
=172139287 win=5792 modulator=2536699106 wscale=2] 4:2 R seq=4085132808 ack=1720
73751 len=0 ackskew=0 pkts=1:5 dir=out,fwd
pf: State failure on: |
Also my other issue is FTP. I had FTP working before I lost my current
ruleset due to a HD crash and decided to use ftp/pftpx from ports.
in /var/log/messages I get a few of these show up:
Nov 11 20:01:36 ehost pftpx[46924]: #157 proxy cannot connect to
server 64.39.2.174: Operation not permitted
Nov 11 20:01:36 ehost pftpx[46924]: #158 proxy cannot connect to
server 192.35.244.50: Operation not permitted
Nov 11 20:01:38 ehost pftpx[46924]: #163 proxy cannot connect to
server 213.135.44.35: Operation not permitted
Nov 11 20:01:38 ehost pftpx[46924]: #164 proxy cannot connect to
server 212.14.28.36: Operation not permitted
Nov 11 20:01:39 ehost pftpx[46924]: #165 proxy cannot connect to
server 212.101.4.244: Operation not permitted
Nov 11 20:01:39 ehost pftpx[46924]: #166 proxy cannot connect to
server 193.206.140.34: Operation not permitted
Nov 11 20:01:40 ehost pftpx[46924]: #167 proxy cannot connect to
server 66.98.251.159: Operation not permitted
which if think is related to the next part..
tcpdump -net -s0 -i pflog0 shows the packet's blocked.
Can anyone help? I'm a little rusty :(
--
% cat /etc/pf.conf
ext_if = "tun0"
prv_if = "fxp0"
lpb_if = "lo0"
#set loginterface $prv_if
set state-policy if-bound
#set skip on $lpb_if
#set debug misc
scrub in on $ext_if \
all \
min-ttl 100 \
no-df \
fragment drop-ovl
scrub out on $ext_if \
all \
min-ttl 10 \
random-id
altq on $ext_if priq bandwidth 1Mb \
queue { Realtime High AboveNormal Normal BelowNormal Low }
queue Realtime priority 15 priq
queue High priority 12 priq
queue AboveNormal priority 9 priq
queue Normal priority 6 priq( default )
queue BelowNormal priority 3 priq
queue Low priority 0 priq
no nat on $ext_if \
inet \
from $prv_if:network \
to $prv_if:network
nat on $ext_if \
inet proto { tcp udp } \
from $prv_if:network \
to any \
tag prv_natted \
-> ($ext_if:0)
nat-anchor "pftpx/*"
rdr-anchor "pftpx/*"
rdr pass on $prv_if \
inet proto tcp \
from $prv_if:network \
to any port = ftp \
-> $lpb_if:0 port ftp-proxy
block drop log on $ext_if
block return log on ! $ext_if
pass quick on $lpb_if
pass in quick on $prv_if \
inet proto udp \
from 0.0.0.0 port dhcpc \
to 255.255.255.255 port dhcps
pass quick on $prv_if \
from $prv_if:network \
to $prv_if:network
pass in on $prv_if \
inet proto { tcp udp } \
from $prv_if:network \
to ! $prv_if:network \
flags S/SA modulate state
pass out on $ext_if \
inet proto udp \
from ($ext_if:0) \
to any port = domain \
keep state \
queue High \
tagged prv_natted
pass out on $ext_if \
inet proto udp \
from ($ext_if:0) \
to any port = ntp \
keep state \
queue High
anchor "pftpx/*"
pass out on $ext_if \
inet proto tcp \
from ($ext_if:0) \
to any port { http https 8008 8080 } \
flags S/SA modulate state \
queue Normal \
tagged prv_natted
pass out on $ext_if \
inet proto tcp \
from ($ext_if:0) \
to any port { 1863 5050 5222:5223 } \
flags S/SA modulate state \
queue BelowNormal \
tagged prv_natted
pass out on $ext_if \
inet proto tcp \
from ($ext_if:0) \
to any port { smtp pop3 imap nntp smtps pop3s imaps nntps } \
flags S/SA modulate state \
queue BelowNormal \
tagged prv_natted
pass out on $ext_if \
inet proto tcp \
from ($ext_if:0) \
to any port { cvsup cvspserver } \
flags S/SA modulate state \
queue BelowNormal \
tagged prv_natted
pass out on $ext_if \
inet proto tcp \
from ($ext_if:0) \
to any port = ssh \
flags S/SA modulate state \
queue (BelowNormal High) \
tagged prv_natted
pass out on $ext_if \
inet proto tcp \
from ($ext_if:0) \
to any \
flags S/SA modulate state \
tagged prv_natted
antispoof for { $ext_if $prv_if $lpb_if }
# EOF
Help? I tend to think the real problem is the object between the
screen and the chair..
--
Kimi
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
