Hi All! I tried to make a service check with hping the following way: hping -c 1 -s 60002 -S -p 22 1.2.3.4 (in this case hping sends a syn (with source port 60002), and will send a rst, when receives a syn-ack)
First time it was successful (1 packets tramitted, 1 packets received, 0% packet loss), but second time it failed (1 packets tramitted, 0 packets received, 100% packet loss). As I saw, the first connection did not closed and still remained in the pf state table, however a reset (rst) was sent by hping. When connection expires in the state table, then the check is successful again. Why did not close pf the connection, when a reset (rst) is sent after a syn-ack? Tcpdump shows the following communication on the source machine (this was successful): 12:45:02.761746 00:0c:f1:6b:31:d9 > 00:e0:18:c4:b7:68, ethertype IPv4 (0x0800), length 54: IP 1.2.3.5.60002 > 192.168.1.4.22: S 215465096:215465096(0) win 512 12:45:02.762097 00:e0:18:c4:b7:68 > 00:0c:f1:6b:31:d9, ethertype IPv4 (0x0800), length 60: IP 1.2.3.4.22 > 1.2.3.5.60002: S 3301432887:3301432887(0) ack 215465097 win 16384 <mss 1460> 12:45:02.762106 00:0c:f1:6b:31:d9 > 00:e0:18:c4:b7:68, ethertype IPv4 (0x0800), length 54: IP 1.2.3.5.60002 > 1.2.3.4.22: R 215465097:215465097(0) win 0 Second time, when I start a hping check, then tcpdump show this (this was unsuccessfull, because there was already a connection in the state table) : 15:41:03.579824 00:0c:f1:6b:31:d9 > 00:e0:18:c4:b7:68, ethertype IPv4 (0x0800), length 54: IP 1.2.3.5.60002 > 1.2.3.4.22: S 2037385571:2037385571(0) win 512 State table shows the following after the reset was sent: pfctl -s state STATES: all tcp 1.2.3.4:22 <- 1.2.3.5:60002 TIME_WAIT:TIME_WAIT Same result was on openbsd 3.7 and 3.8. Is this communication invalid? Is it against rfc? Thanks for all your help in advance! Best regards, Tamas
smime.p7s
Description: S/MIME cryptographic signature
