On Wed, Jul 05, 2006 at 02:07:42PM +0200, Daniel Rapp wrote:
> pf: BAD state: TCP aaa.aaa.aaa.aaa:25 aaa.aaa.aaa.aaa:25
> bbb.bbb.bbb.bbb:2554 [lo=1937461566 high=1937478751 win=65535 modulator=0]
> [lo=740836633 high=740902095 win=17184 modulator=0] 4:4 R seq=1937461566
> ack=740836633 len=0 ackskew=0 pkts=2:4 dir=in,fwd
> pf: State failure on: |
Ah, that means the RST didn't actually have a th_seq of 1937461566,
we're logging after adjusting it ("Ease sequencing restrictions on no
data packets"), somewhat confusing seeing that the first time ;)
This message means a TCP RST packet (incoming on the external interface)
was blocked by pf because its sequence number th_seq did not precisely
match. We check for precise match to make guessing (blind reset attacks)
harder.
This is a RST that was sent from the external peer, and we blocked it.
So it can't explain why the server produces a "connection reset by peer"
log message. Maybe subsequent RSTs (also from the external peer) have
exactly matching th_seq and pass. But none of this shows anything except
that the RSTs seem to originate from the external peer...
Daniel
