So, there are indeed 2 states, one without wscaling. I don't understand
why the returning state (S->C) is created, and not matched to the
initial NAT state? Is it because I create the state on "out" and is this
then invalid?! I use this normally without problems on many routers.
I have a very large ruleset, with 10+ segments and many hosts, but I
have only one state rule: "pass out keep state". I have default deny on
everything. In essence the stripped ruleset relevant for the case is:
block log all
pass out keep state
nat on vlan_external from vlan_x:network to $internet -> $gateway
pass in on vlan_x from vlan_x:network to $internet
Scrubbing on/off seems to make no difference.
Regards,
Fredrik Widlund
Fredrik Widlund wrote:
> Daniel Hartmeier wrote:
>
>> Please enable debug logging (pfctl -xm), and repeat the procedure,
>> capturing one failing connection from handshake to the point of failure
>> as you already did. Then check /var/log/messages for any lines from pf
>> related to this connection ('BAD state' messages, likely). Then post
>> both.
>>
>>
> Indeed...
>
> Messages:
> Mar 30 12:04:23 fw0 /bsd: pf: State failure on: 1 |
> Mar 30 12:04:24 fw0 /bsd: pf_map_addr: selected address C'
> Mar 30 12:04:24 fw0 last message repeated 10 times
> Mar 30 12:04:24 fw0 /bsd: pf: BAD state: TCP S:25 S:25 C:9941
> [lo=2363613954 high=2363630270 win=
> 46 modulator=0] [lo=2151961792 high=2151961838 win=16384 modulator=0]
> 4:4 FPA seq=2151961792 ack=2363613954 len=59 ackskew=0 pkts=6:
> 1 dir=in,rev
> [repeated]
>
> States:
> self tcp S:25 -> C:9941 ESTABLISHED:ESTABLISHED
> [2363613954 + 16316] [2151961792 + 46]
> age 00:00:11, expires in 04:59:55, 7:1 pkts, 780:52 bytes, rule 1
> id: 43f0a54e0ae28e78 creatorid: 05641fa7
> [...]
> self tcp C:9941 -> C':58898 -> S:25 ESTABLISHED:ESTABLISHED
> [2151961791 + 5889] wscale 0 [2363613954 + 16316] wscale 7
> age 00:00:11, expires in 04:59:55, 2:7 pkts, 116:780 bytes, rule 1
> id: 43f0a54e0ae28e77 creatorid: 05641fa7
>
> Internal:
> 12:04:20.429149 C.9941 > S.25: S 2151961791:2151961791(0) win 16384 <mss
> 1460,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 3978754392 0>
> 12:04:20.439037 S.25 > C.9941: S 2363613885:2363613885(0) ack 2151961792
> win 5792 <mss 1380,sackOK,timestamp 4201632495 3978754392,nop,wscale 7> (DF)
> 12:04:20.439143 C.9941 > S.25: . ack 1 win 16384 <nop,nop,timestamp
> 3978754392 4201632495>
> 12:04:20.439268 C.9941 > S.25: P 1:60(59) ack 1 win 16384
> <nop,nop,timestamp 3978754392 4201632495>
> 12:04:20.439270 C.9941 > S.25: F 60:60(0) ack 1 win 16384
> <nop,nop,timestamp 3978754392 4201632495>
> 12:04:20.449877 S.25 > C.9941: P 1:69(68) ack 1 win 46
> <nop,nop,timestamp 4201632506 3978754392> (DF)
> 12:04:20.449987 C.9941 > S.25: F 60:60(0) ack 69 win 16316
> <nop,nop,timestamp 3978754392 4201632506>
> [repeats]
>
> External:
> 12:04:20.429433 C'.58898 > S.25: S 2151961791:2151961791(0) win 16384
> <mss 1460,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 3978754392 0>
> 12:04:20.439018 S.25 > C'.58898: S 2363613885:2363613885(0) ack
> 2151961792 win 5792 <mss 1380,sackOK,timestamp 4201632495
> 3978754392,nop,wscale 7> (DF)
> 12:04:20.439160 C'.58898 > S.25: . ack 1 win 16384 <nop,nop,timestamp
> 3978754392 4201632495>
> 12:04:20.449863 S.25 > C'.58898: P 1:69(68) ack 1 win 46
> <nop,nop,timestamp 4201632506 3978754392> (DF)
> 12:04:20.659761 S.25 > C'.58898: P 1:69(68) ack 1 win 46
> <nop,nop,timestamp 4201632716 3978754392> (DF)
> [repeats]
>
