Hi,
playing with pftop and src-track I discovered that every connection from my
home network to my OpenBSD 3.5-stable server on the internet doesn't get
closed. PF always shows the FIN_WAIT_2:FIN_WAIT_2 status.
This means that if I use telnet to any open port and then I close the
connection PF will keep the connection in FIN_WAIT_2 status until the time
limit expires. This is a behaviour that you don't note without the src-track
option because the server will keep accepting new connections...
I tried multiple software (telnet, mail clients and various browsers) from
both FreeBSD and OpenBSD workstations. My home firewall is running OpenBSD
3.6 with a 2 lines ruleset:
pass out on quick all keep state
block in quick all
The strange thing is that other connections to the server from other hosts on
the internet doesn't get closed too! PF will always put them in one of these
two status: TIME_WAIT:TIME_WAIT or FIN_WAIT_2:FIN_WAIT_2.
I have the little suspect that the FIN_WAIT_2:FIN_WAIT_2 happens if both of
the peers (my server and the host) are protected by PF. While
TIME_WAIT:TIME_WAIT happens when the host isn't protected by PF.
This is my PF ruleset on the server:
table <Spoof> { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8,
0.0.0.0/8 }
pass out quick on lo0 all keep state
pass in quick on lo0 all keep state
block in quick on fxp0 inet proto tcp from <Spoof>
block out quick on fxp0 inet from any to <Spoof>
block in quick on fxp0 inet6 all
pass out quick on fxp0 inet from (fxp0) to any keep state
pass in quick on fxp0 inet proto tcp from any to (fxp0) port 25 flags S/SAFR
keep state (source-track rule, max-src-nodes 20, max-src-states 2)
pass in quick on fxp0 inet proto tcp from any to (fxp0) port 80 flags S/SAFR
keep state (source-track rule, max-src-nodes 50, max-src-states 10)
max-src-states 2)
block in quick all
..................................................................................
Any clue ?
Ed
