Re: Seems like pf skips some packets.

Alexey Sopov Sun, 15 Jul 2007 04:34:19 -0700

Fresh news.

I've noticed all unblocked packets have tcp window suggestion set to 0
(zero). I tried to block these packets on external interface:
~>sudo ipfw add 10 deny log tcp from 192.168.0.0/16 to any via external out 
tcpwin 0
This rule is the first rule in ipfw.


Then I looked for such packets and I found them :(
~>sudo tcpdump -ni external src net 192.168.0.0/16
 15:17:57.603899 IP 192.168.38.36.4649 > 88.212.196.77.80: . ack 727205372 win 0
15:17:57.603960 IP 192.168.54.106.3388 > 217.65.2.62.80: . ack 0 win 0
 15:17:57.603974 IP 192.168.38.36.4647 > 87.250.251.11.80: . ack 1795114833 win 0
15:17:57.603987 IP 192.168.32.96.2263 > 205.188.1.136.5190: . ack 1459514474 
win 0
 15:17:57.604015 IP 192.168.24.92.4049 > 194.186.121.81.80: . ack 1712730130 
win 0
15:17:57.604028 IP 192.168.56.100.2934 > 194.67.23.206.80: . ack 0 win 0
15:17:57.604041 IP 192.168.48.33.3314 > 81.19.66.19.80: . ack 1697432479 win 0
 15:17:57.604053 IP 192.168.24.92.4040 > 194.186.121.82.80: . ack 1951624102 
win 0
15:17:57.604066 IP 192.168.16.35.2298 > 69.147.108.254.443: . ack 3953269109 
win 0
15:17:57.604078 IP 192.168.11.143.60431 > 194.186.121.77.80: . ack 4068897542 
win 0
15:17:57.604092 IP 192.168.9.18.60492 > 64.12.31.176.5190: . ack 3864640183 win 0
 15:17:57.604104 IP 192.168.24.18.60660 > 81.222.128.13.80: . ack 456936114 win 0
 15:17:57.604117 IP 192.168.24.18.60659 > 81.222.128.13.80: . ack 457633387 win 0
15:17:57.604129 IP 192.168.48.33.3316 > 88.212.196.77.80: . ack 3294547611 win 0
15:17:57.604142 IP 192.168.48.33.3317 > 88.212.196.77.80: . ack 407383482 win 0
15:17:57.604155 IP 192.168.38.36.4645 > 194.67.45.129.80: . ack 450309387 win 0
15:17:57.604167 IP 192.168.48.33.3318 > 194.67.45.98.80: . ack 2013143653 win 0
15:17:57.604180 IP 192.168.50.44.34589 > 213.155.151.142.80: . ack 1954703640 
win 0
15:17:57.604191 IP 192.168.42.85.4027 > 216.178.38.78.80: . ack 1861099043 win 0

And I looked into security log to see whether they are simmilar (lines
prefixed with space are common):
~>sudo less /var/log/security
Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.16.35:2290 
216.109.127.6:443 out via external
Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.52.20:1636 
81.177.16.60:80 out via external
Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.9.17:3403 
217.106.230.137:80 out via external
Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.48.33:3318 
194.67.45.98:80 out via external
Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.42.85:4027 
216.178.38.78:80 out via external
Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.56.169:1801 
194.67.23.108:80 out via external
Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.16.35:2298 
69.147.108.254:443 out via external
 Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.38.36:4649 
88.212.196.77:80 out via external
Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.42.85:4027 
216.178.38.78:80 out via external
 Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.38.36:4647 
87.250.251.11:80 out via external
Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.16.35:2298 
69.147.108.254:443 out via external
 Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.24.92:4049 
194.186.121.81:80 out via external
 Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.24.92:4040 
194.186.121.82:80 out via external
Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.38.36:4645 
194.67.45.129:80 out via external
 Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.24.18:60660 
81.222.128.13:80 out via external
 Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.24.18:60659 
81.222.128.13:80 out via external
Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.16.35:2083 
194.67.23.109:80 out via external
Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.56.73:1075 
85.112.114.78:22273 out via external
Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.56.73:1078 
85.112.114.77:22273 out via external
Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.16.35:2283 
194.67.23.109:80 out via external
Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.16.35:2272 
194.67.23.109:80 out via external
Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.22.103:1054 
216.195.54.170:80 out via external
Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.16.35:2299 
217.146.179.200:443 out via external
Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.16.35:2299 
217.146.179.200:443 out via external
Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.42.85:4069 
193.108.95.55:80 out via external

I have two questioins now:
1. Why there are denied outgoing packets on external interface?
2. Why ipfw skips some tcp packets with (tcpwin 0) and I see them only
with tcpdump?

-- 
                            mailto:[EMAIL PROTECTED]

_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Seems like pf skips some packets.

Reply via email to