Re: outgoing SYN blocked even if it is allowed by ipf.rules

Thu, 26 Jul 2007 00:20:13 -0700 

El día Wednesday, July 25, 2007 a las 11:48:27PM -0700, Phil Dibowitz escribió:

> Matthias Apitz wrote:
> > Phil, I'm talking about this pkg (the very last one in my posting from
> > today):
> > 
> > 13:30:08.499026 IP 10.0.1.40.2546 > xxx.xxx.xxx.xxx.3233: S 
> > 49301289:49301289(0) ack 979701897 win 23360 <mss 536>
> 
> I misunderstood, sorry. This packet is not part of the same connection as
> the rest of the packets in your output. Both the source and destination
> ports don't match, nor do the sequence or ack numbers. That's a SYN+ACK to
> some _other_ SYN not shown in your output. That's why Carson pointed out
> that you didn't include the relevant SYN.

But there was no _other_ SYN, really; and I've checked again the tcpdump
output; I was sitting on the firewall host itself and did a

# tcpdump -i em0 -n host 10.0.1.40 > 10.0.1.40.tcp

and the file does only contain the sequence I already send twice;
also the 'ipmon' log in /var/log/messages says about that:

Jul 25 13:30:08 cazador ipmon[362]: 13:30:07.989080 em1 @0:74 p 
xxx.xxx.xxx.xxx,3232 -> 10.0.1.40,1720 PR tcp len 20 44 -S K-S IN NAT
Jul 25 13:30:09 cazador ipmon[362]: 13:30:08.499067 em1 @0:111 b 10.0.1.40,2546 
-> xxx.xxx.xxx.xxx,3233 PR tcp len 20 44 -AS OUT

i.e. the 1st line logs the passing of the SYN for the connection
xxx.xxx.xxx.xxx.3232 -> 10.0.1.40,1720 and the next line shows already
the blocked SYN+ACK package and there is no line between showing
another passed SYN for xxx.xxx.xxx.xxx,3233 -> 10.0.1.40.2546

The problem is that the 10.0.1.40 is connected to a switch; I will
put in some hub to plug-in my laptop directly next to 10.0.1.40 to
see what traffic is arriving at the NIC of 10.0.1.40; at least
in the firewall (10.0.1.136) there was no other SYN to see;
sorry;

but in any case, thanks for all the feedback;

        matthias
-- 
Matthias Apitz
Manager Technical Support - OCLC PICA GmbH
Gruenwalder Weg 28g - 82041 Oberhaching - Germany
t +49-89-61308 351 - f +49-89-61308 399 - m +49-170-4527211
e <[EMAIL PROTECTED]> - w http://www.oclcpica.org/ http://www.UnixArea.de/
b http://gurucubano.blogspot.com/
OCLC PICA GmbH, Geschaeftsfuehrer: Christine Magin-Weeger, Norbert Weinberger
Sitz der Gesellschaft: Oberhaching, HRB Muenchen: 113261

Reply via email to