outgoing SYN blocked even if it is allowed by ipf.rules

Wed, 25 Jul 2007 05:01:58 -0700 

Hello,

I've a problem with some incoming call of a VideoConferencing system
which should pass my IPF firewall (v4.1.8); I've watched it on both
interfaces with tcpdump:

13:30:07.989088 IP xxx.xxx.xxx.xxx.3232 > 10.0.1.40.1720: S 
356680283:356680283(0) win 8192 <mss 1460>
13:30:07.994005 IP 10.0.1.40.1720 > xxx.xxx.xxx.xxx.3232: S 
85446234:85446234(0) ack 356680284 win 23360 <mss 536>
13:30:08.153383 IP xxx.xxx.xxx.xxx.3232 > 10.0.1.40.1720: . ack 1 win 8192
13:30:08.153391 IP xxx.xxx.xxx.xxx.3232 > 10.0.1.40.1720: P 1:5(4) ack 1 win 
8192
13:30:08.154131 IP xxx.xxx.xxx.xxx.3232 > 10.0.1.40.1720: P 5:222(217) ack 1 
win 8192
13:30:08.182341 IP 10.0.1.40.1720 > xxx.xxx.xxx.xxx.3232: P 1:104(103) ack 222 
win 23139
13:30:08.320937 IP 10.0.1.40.1720 > xxx.xxx.xxx.xxx.3232: P 104:242(138) ack 
222 win 23139
13:30:08.346463 IP xxx.xxx.xxx.xxx.3232 > 10.0.1.40.1720: . ack 104 win 8093
13:30:08.494931 IP xxx.xxx.xxx.xxx.3232 > 10.0.1.40.1720: . ack 242 win 8058

Now my VC tries (for some reason which I don't understand as well) to
initiate a new TCP session here:

13:30:08.499026 IP 10.0.1.40.2546 > xxx.xxx.xxx.xxx.3233: S 
49301289:49301289(0) ack 979701897 win 23360 <mss 536>
13:30:08.499077 IP 10.0.1.136 > 10.0.1.40: ICMP host xxx.xxx.xxx.xxx 
unreachable, length 36

which gets blocked by the IPF (2nd line):

Jul 25 13:30:08 cazador ipmon[362]: 13:30:07.989080 em1 @0:74 p 
xxx.xxx.xxx.xxx,3232 -> 10.0.1.40,1720 PR tcp len 20 44 -S K-S IN NAT
Jul 25 13:30:09 cazador ipmon[362]: 13:30:08.499067 em1 @0:111 b 10.0.1.40,2546 
-> xxx.xxx.xxx.xxx,3233 PR tcp len 20 44 -AS OUT

the line in ipf.rules is:

pass out log first quick on em1 proto tcp from any to xxx.xxx.xxx.xxx flags S 
keep state

Why the traffic 'TCP 10.0.1.40.2546 > xxx.xxx.xxx.xxx.3233: SYN' does not
match the rule?

Thx in advance

        matthias

-- 
Matthias Apitz
Manager Technical Support - OCLC PICA GmbH
Gruenwalder Weg 28g - 82041 Oberhaching - Germany
t +49-89-61308 351 - f +49-89-61308 399 - m +49-170-4527211
e <[EMAIL PROTECTED]> - w http://www.oclcpica.org/ http://www.UnixArea.de/
b http://gurucubano.blogspot.com/
OCLC PICA GmbH, Geschaeftsfuehrer: Christine Magin-Weeger, Norbert Weinberger
Sitz der Gesellschaft: Oberhaching, HRB Muenchen: 113261

Reply via email to