another reassemble tcp problem - details for PF developers

Fri, 15 Jan 2010 02:24:58 -0800 

There has been 2 recent threads mentioning problems with "reassemble tcp":

"pf: reassemble tcp"

"problems with emails through pf"



For info here is another. We solved the problem by removing this scrub.



We went from 4.3 with

scrub in all



to the latest 4.6 stable with

match in all scrub (reassemble tcp)



and bizarrely found we sometimes (~50%) couldnt FTP to several sites. It
would hang just before sending any data. This would happen about 50% of the
time and work fine the rest. It may be an irrelevant coincidence but each
FTP site that this happened with was Microsoft FTP. It never happened (ie
FTP always worked fine) with other server types. The OpenBSD firewall is
running ftp-proxy. The internal client is a linux desktop. Removing the
"reassemble tcp" scrub made the problem go away and a successful
connection/download every time.



We took tcpdumps on both the internal and external interfaces of the OpenBSD
firewall/ftp-proxy.



Looking at our capture on firewall internal interface, the payload of the
first TCP packet after the handshake seems to be ignored.  I see:



  Frames 26, 28, 29:  TCP handshake

  33:  first data from server

  34:  client then immediately sends ACK to server with seq=1

  35:  last of the data from server

  36:  server attempting to close connection

  37, 38:  Client sends two ACKs in quick succession, presumably responses
to 35, 36; sequence number is still 1

  ... server retransmits, client sends same ACKs, etc. until server gets
frustrated and sends a RST



It looks like the MS FTP server is being well-behaved, but each time some
data is received, the internal linux desktop immediately replies with an ACK
denying that any data was received.  This suggests that it's aware that it's
received some packets, but is rejecting the contents for some reason. Not
sure.



Looking at the capture on firewall external interface, is pretty much the
same, except that the second data packet (corresponding to #35) is
completely missing.  This might be a red herring.



Like I said I supply this info just for curiosity. We have it working now by
removing reassemble tcp - maybe its helpful to the PF developers, maybe not.
Below is the screen output from the internal linux desktop using lftp.



Many thanks,



Alastair Johnson















================================= NOT Working =====================

-bash-3.1$ lftp -c "open -uAAAAA,BBBBB 198.80.165.171; debug; ls"

---- Connecting to 198.80.165.171 (198.80.165.171) port 21

<--- 220 Microsoft FTP Service

---> FEAT

<--- 530 Please login with USER and PASS.

---> AUTH TLS

<--- 500 'AUTH TLS': command not understood

---> USER AAAAA

<--- 331 Password required for AAAAA.

---> PASS BBBBB

<--- 230-Welcome to Thomson Financial I/B/E/S FTP site.

<---     This site is for authorized users only.

<---     Any or all uses of this system and all files on

<---     this system are monitored, recorded, and audited.

<---     LOG OFF IMMEDIATELY if you do not agree to the

<---     conditions stated in this warning.

<--- 230 User AAAAA logged in.

---> FEAT

<--- 211-FEAT

<---     SIZE

<---     MDTM

<--- 211 END

---> PWD

<--- 257 "/" is current directory.

---> PASV

<--- 227 Entering Passive Mode (198,80,165,171,227,43)

---- Connecting data socket to (198.80.165.171) port 58155

---- Data connection established

---> LIST

<--- 125 Data connection already open; Transfer starting.

<--- 226 Transfer complete.

`ls' at 0 [Receiving data]

===================== Hang at this point ==========================







===================================== Working =====================

....snip....



<--- 230 User AAAAA logged in.

---> FEAT

<--- 211-FEAT

<---     SIZE

<---     MDTM

<--- 211 END

---> PWD

<--- 257 "/" is current directory.

---> PASV

<--- 227 Entering Passive Mode (198,80,165,171,198,136)

---- Connecting data socket to (198.80.165.171) port 50824

---- Data connection established

---> LIST

<--- 125 Data connection already open; Transfer starting.

dr-xr-xr-x   1 owner    group               0 Dec 22  2009 history

... and then more files/directories

Reply via email to