Hi,
I'm having what seems to be an issue with the OpenBSD 3.8 firewall. It
seems to be blocking SYN packets, not really randomly, but I can't
figure out what's causing it's behaviour.
Here is the basic network layout:
- We have a LAN connected to a T1, the LAN computers connect to a
remote UNIX server to run an Accounting application.
- There are 3 network printers at the office that the remote
application needs to print to, two dot matrix printers connected to
Intel print servers, and one HP LaserJet with a JetDirect card.
- The printers all accept print jobs on the same port (515), so each of
them has to come in on a different external IP (the printers themselves
have LAN IPs), the firewall then does the appropriate NAT tranlation.
- The remote application sends the print job to the external IP, which
then gets routed to the LAN IP of the print server.
- The machine also serves as a firewall and DHCP server for the LAN.
- Everything except the SYN problem is working great.
THE PROBLEM:
The printing works perfectly most of the time, they hit print in the
application and it comes out. All the traffic on the network looks
normal.
HOWEVER, occasionally when they try to print a couple reports in a row,
they get about a 60 second pause inbetween each report. This happens on
all the printers. I've traced the problem down to this:
#### tcpdump from the internal interface ####
09:16:22.555629 192.168.0.52.printer > my.server.com.1020: P 5:6(1) ack
1912 win 2920
09:16:22.577971 my.server.com.1020 > 192.168.0.52.printer: F
1912:1912(0) ack 6 win 24820 (DF)
09:16:22.581940 192.168.0.52.printer > my.server.com.1020: P ack 1913
win 2920
09:16:22.583959 192.168.0.52.printer > my.server.com.1020: F 6:6(0) ack
1913 win 2920
09:16:22.606973 my.server.com.1020 > 192.168.0.52.printer: . ack 7 win
24820 (DF)
# note the two SYN packets below and the time
09:17:52.017830 my.server.com.1019 > 192.168.0.52.printer: S
1027809277:1027809277(0) win 24820 <mss 1460> (DF)
09:17:52.021891 192.168.0.52.printer > my.server.com.1019: S
1307185000:1307185000(0) ack 1027809278 win 2920 <mss 1460>
09:17:52.044759 my.server.com.1019 > 192.168.0.52.printer: . ack 1 win
24820 (DF)
09:17:52.045204 my.server.com.1019 > 192.168.0.52.printer: P 1:13(12)
ack 1 win 24820 (DF)
09:17:52.056031 192.168.0.52.printer > my.server.com.1019: P ack 13 win
2920
#### tcpdump from the extrenal interface ####
09:16:22.555645 MY.PR.EXT.IP.printer > my.server.com.1020: P 5:6(1) ack
1912 win 2920
09:16:22.577952 my.server.com.1020 > MY.PR.EXT.IP.printer: F
1912:1912(0) ack 6 win 24820 (DF)
09:16:22.581957 MY.PR.EXT.IP.printer > my.server.com.1020: P ack 1913
win 2920
09:16:22.583975 MY.PR.EXT.IP.printer > my.server.com.1020: F 6:6(0) ack
1913 win 2920
09:16:22.606955 my.server.com.1020 > MY.PR.EXT.IP.printer: . ack 7 win
24820 (DF)
# note that there are a lot more SYN packets below than there are in
teh internal trace
09:16:33.573302 my.server.com.1019 > MY.PR.EXT.IP.printer: S
1027809277:1027809277(0) win 24820 <mss 1460> (DF)
09:16:39.203673 my.server.com.1019 > MY.PR.EXT.IP.printer: S
1027809277:1027809277(0) win 24820 <mss 1460> (DF)
09:17:03.476992 my.server.com.1019 > MY.PR.EXT.IP.printer: S
1027809277:1027809277(0) win 24820 <mss 1460> (DF)
09:17:52.017731 my.server.com.1019 > MY.PR.EXT.IP.printer: S
1027809277:1027809277(0) win 24820 <mss 1460> (DF)
09:17:52.021921 MY.PR.EXT.IP.printer > my.server.com.1019: S
1307185000:1307185000(0) ack 1027809278 win 2920 <mss 1460>
09:17:52.044737 my.server.com.1019 > MY.PR.EXT.IP.printer: . ack 1 win
24820 (DF)
09:17:52.045187 my.server.com.1019 > MY.PR.EXT.IP.printer: P 1:13(12)
ack 1 win 24820 (DF)
09:17:52.056049 MY.PR.EXT.IP.printer > my.server.com.1019: P ack 13 win
2920
It seems like 4 SYN packets have to be attempted before one is let
through. Is my pf blocking SYN packets for some reason?
Please help!
Thanks in advance,
--Dmitriy
############################# BEGIN /etc/pf.conf
##################################
( NOTE: These are super relaxed rules, I took out the blocks trying to
figure out the problem )
# set these
int_if = "xl0"
ext_if = "fxp0"
print_services = "{ 515, 9100, 9102 }"
tcp_services = "24"
icmp_types = "echoreq"
## Printers ##
# External Printer IPs
cadhp4000_ext = "X"
cadkxp3626_ext = "Y"
cadkxp3624_ext = "Z"
# Internal Printer IPs
cadhp4000_int = "192.168.0.50"
cadkxp3624_int = "192.168.0.51"
cadkxp3626_int = "192.168.0.52"
# Internal printers
printers_int = "{" $cadhp4000_int $cadkxp3624_int $cadkxp3626_int "}"
## Some general rules ##
# Set block policy
set block-policy return
set loginterface $ext_if
# Disable filtering on the loopback interface
set skip on lo0
# Clean up traffic
scrub in all
## NAT ##
nat on $ext_if from "192.168.0.50" to any -> "X"
nat on $ext_if from "192.168.0.52" to any -> "Y"
nat on $ext_if from $int_if:network to any -> "Z"
## Redirecton ##
# Redirect rules (forwarding for the printers)
rdr on $ext_if proto {tcp,udp} from any to $cadhp4000_ext port
$print_services -> $cadhp4000_int
rdr on $ext_if proto {tcp,udp} from any to $cadkxp3624_ext port
$print_services -> $cadkxp3624_int
rdr on $ext_if proto {tcp,udp} from any to $cadkxp3626_ext port
$print_services -> $cadkxp3626_int
## Filtering ##
# Block port 25
block drop in quick on $ext_if proto {tcp, udp} from any to
"MY.NET.IP.ADR/24" port 25
# Allow Internet access to services running on the firewall machine
pass in on $ext_if inet proto tcp from any to $ext_if port
$tcp_services flags S/SA keep state
# IMPORTANT: We MUST also create a pass rule for the rdr rule for the
printers
pass in on $ext_if proto tcp from any to $printers_int port
$print_services flags S/SA keep state
# Pass ICMP
pass in inet proto icmp all icmp-type $icmp_types keep state
# Pass traffic into the internal interface, allowing internal users
some freedom
pass in on $int_if from $int_if:network to any keep state
# Pass traffic from internal interface to the network, to allow the
firewall to initiate connections
# with hosts on the network
pass out on $int_if from any to $int_if:network keep state
# Pass outbound traffic
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
pass in all
pass out all
############################# END /etc/pf.conf
##################################
