The rulesets on one of our firewalls here was recently updated to be
default deny. Shortly after we received reports that connections
were dying with increased frequency. I cranked up the pfctl debug level
and discovered a lot of "BAD state" entries. In an effort to fix the
problem I've read through the archives and came across a thread with
similar issues, and as a result all the tcp rules were updated to
use flags S/SA. I believe this has helped, however we're still
seeing entries such as the one below.
[ linux_server is a machine behind our openbsd firewall ]
pf: BAD state: TCP linux_server:43541 linux_server:43541
other_server:443 [lo=1144898851 high=1144915311 win=5840
modulator=389869126 wscale=0] [lo=2177039318 high=2177044306 win=16560
modulator=1496631458 wscale=0] 4:4 R seq=2177039318 ack=1144898851
len=0 ackskew=0 pkts=29:17 dir=in,rev
pf: State failure on: |
Should there be more info on the second line ? Am I seeing an unhandled
case in the debug output ? Couple of other questions here, can I find out
what interface this check is happening on ? And what exactly do "in" and
"rev" mean here ?
Thanks,
Mike.
