On Fri, 14 Feb 2003 22:17:01 +0100 Daniel Hartmeier <[EMAIL PROTECTED]> wrote:
> > They also arive at 192.168.0.3, I can give you the tcpdump -s 1500 > > output of that if needed. > > Yes, just to check whether both cases are correct RSTs. > > > Well, I did notice something abnormal in it. I'm getting flooded with > > messages that say: > > Feb 14 18:39:04 zombie /bsd: pf_map_addr: selected address: 192.168.0.1 > > Those are harmless, you can safely ignore them. > > You mention that you see the RSTs arrive at the client in both cases. > Are you maybe running pf on the client as well? Is it maybe filtering > statefully with 'flags S', so the outgoing SYN+ECN is not creating state > and the RST is blocked on the client? > > If the RST arrives at the client, and is valid, it looks like the > problem is on the client, not the gateway. (linewrap disabled for easier readability) First of, 192.168.0.3 has pf enabled, the ruleset is: pass in all pass out all So that shouldn't be the problem. Here we go, first on the mailserver (192.168.0.3), with ECN disabled: 23:32:30.611782 192.168.0.3.20601 > 195.130.132.40.25: S [tcp sum ok] 74854948:74854948(0) win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 1954601909 0> (DF) [tos 0x10] (ttl 64, id 30491) 0000: 4510 0040 771b 4000 4006 bb36 c0a8 0003 E..@w.@.@.�6��.. 0010: c382 8428 5079 0019 0476 3224 0000 0000 �..(Py...v2$.... 0020: b002 4000 1648 0000 0204 05b4 0101 0402 �[email protected].....�.... 0030: 0103 0300 0101 080a 7480 dbb5 0000 0000 ........t.۵.... 23:32:30.612034 195.130.132.40.25 > 192.168.0.3.20601: R [tcp sum ok] 0:0(0) ack 74854949 win 0 (DF) (ttl 64, id 40773) 0000: 4500 0028 9f45 4000 4006 9334 c382 8428 E..(.E@[email protected]�..( 0010: c0a8 0003 0019 5079 0000 0000 0476 3225 ��....Py.....v2% 0020: 5014 0000 204d 0000 0000 0000 0000 P... M........ All OK here. Now with ECN enabled: 23:39:09.432429 192.168.0.3.30785 > 195.130.132.40.25: SWE [tcp sum ok] 262876226:262876226(0) win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 1954602707 0> (DF) [tos 0x10] (ttl 64, id 26356) 0000: 4510 0040 66f4 4000 4006 cb5d c0a8 0003 E..@f�@.@.�]��.. 0010: c382 8428 7841 0019 0fab 2c42 0000 0000 �..(xA...�,B.... 0020: b0c2 4000 e54e 0000 0204 05b4 0101 0402 ��@.�N.....�.... 0030: 0103 0300 0101 080a 7480 ded3 0000 0000 ........t.��.... 23:39:09.432716 195.130.132.40.25 > 192.168.0.3.30785: R [tcp sum ok] 0:0(0) ack 262876227 win 0 (DF) (ttl 64, id 54432) 0000: 4500 0028 d4a0 4000 4006 5dd9 c382 8428 E..(Ԡ@.@.]��..( 0010: c0a8 0003 0019 7841 0000 0000 0fab 2c43 ��....xA.....�,C 0020: 5014 0000 f331 0000 0000 0000 0000 P...�1........ 23:39:15.428479 192.168.0.3.30785 > 195.130.132.40.25: SWE [tcp sum ok] 262876226:262876226(0) win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 1954602719 0> (DF) [tos 0x10] (ttl 64, id 21325) 0000: 4510 0040 534d 4000 4006 df04 c0a8 0003 E..@SM@.@.�.��.. 0010: c382 8428 7841 0019 0fab 2c42 0000 0000 �..(xA...�,B.... 0020: b0c2 4000 e542 0000 0204 05b4 0101 0402 ��@.�B.....�.... 0030: 0103 0300 0101 080a 7480 dedf 0000 0000 ........t.��.... 23:39:15.428763 195.130.132.40.25 > 192.168.0.3.30785: R [tcp sum ok] 0:0(0) ack 1 win 0 (DF) (ttl 64, id 41759) 0000: 4500 0028 a31f 4000 4006 8f5a c382 8428 E..(�.@[email protected]�..( 0010: c0a8 0003 0019 7841 0000 0000 0fab 2c43 ��....xA.....�,C 0020: 5014 0000 f331 0000 0000 0000 0000 P...�1........ For some reason the second reset packet has an ack of 1. And this is on the gateway running pf, only for the ECN packets: 23:41:13.085143 192.168.0.3.3001 > 195.130.132.40.25: SWE [tcp sum ok] 1748781580:1748781580(0) win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 1954602989 0> (DF) [tos 0x10] (ttl 64, id 46470) 0000: 4510 0040 b586 4000 4006 7ccb c0a8 0003 E..@�.@.@.|���.. 0010: c382 8428 0bb9 0019 683c 4a0c 0000 0000 �..(.�..h<J..... 0020: b0c2 4000 da61 0000 0204 05b4 0101 0402 ��@.�a.....�.... 0030: 0103 0300 0101 080a 7480 dfed 0000 0000 ........t.��.... 0040: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0050: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0060: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0070: 0000 .. 23:41:13.085336 195.130.132.40.25 > 192.168.0.3.3001: R [tcp sum ok] 0:0(0) ack 1748781581 win 0 (DF) (ttl 64, id 9115) 0000: 4500 0028 239b 4000 4006 0edf c382 8428 E..(#.@.@..��..( 0010: c0a8 0003 0019 0bb9 0000 0000 683c 4a0d ��.....�....h<J. 0020: 5014 0000 e95e 0000 P...�^.. 23:41:19.081436 192.168.0.3.3001 > 195.130.132.40.25: SWE [tcp sum ok] 1748781580:1748781580(0) win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 1954603001 0> (DF) [tos 0x10] (ttl 64, id 62257) 0000: 4510 0040 f331 4000 4006 3f20 c0a8 0003 E..@�1@.@.? ��.. 0010: c382 8428 0bb9 0019 683c 4a0c 0000 0000 �..(.�..h<J..... 0020: b0c2 4000 da55 0000 0204 05b4 0101 0402 ��@.�U.....�.... 0030: 0103 0300 0101 080a 7480 dff9 0000 0000 ........t.��.... 0040: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0050: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0060: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0070: 0000 .. 23:41:19.081576 195.130.132.40.25 > 192.168.0.3.3001: R [tcp sum ok] 0:0(0) ack 1 win 0 (DF) (ttl 64, id 12305) 0000: 4500 0028 3011 4000 4006 0269 c382 8428 E..(0.@[email protected]�..( 0010: c0a8 0003 0019 0bb9 0000 0000 683c 4a0d ��.....�....h<J. 0020: 5014 0000 e95e 0000 P...�^.. Also note that the second reset packet leaving here has an ack of 1, I don't know if this is legal. Between the 2 hosts is an el cheapo switch which just passes the packets, it doesn't touch their contents. Hope this helps. Thanks. // nick
