Re: mismatch on route through packet/byte counts

Thu, 14 Dec 2006 08:01:54 -0800 

I'm still hunting loose state matches.
After converting all none-protocol-specific "keep state" to either
        flags S/SAFR keep state
or
        flags S/SAFR synproxy state
, I'm still getting lots of warning like this one:

---------------------------------------------------------------------
Dec 14 11:16:47 pf: loose state match: TCP \
aaa.bbb.ccc.ddd:25 aaa.bbb.ccc.ddd:25 66.35.250.225:53336 \
[lo=3396551343 high=3396616878 win=5840 modulator=874376751] \
[lo=3752913744 high=3752919543 win=65535 modulator=3189448930] \
  9:9 R seq=3396551343 ack=3752913744 len=0 ackskew=0 pkts=8:10
Dec 14 11:16:47 pf: loose state match: TCP  \
aaa.bbb.ccc.ddd:25 aaa.bbb.ccc.ddd:25 66.35.250.225:53336  \
[lo=3396551343 high=3396616878 win=5840 modulator=874376751]  \
[lo=3752913744 high=3752919543 win=65535 modulator=3189448930]  \
9:9 R seq=3396551343 ack=3752913744 len=0 ackskew=0 pkts=8:10
Dec 14 11:16:47 pf: loose state match: TCP  \
66.35.250.225:53336 66.35.250.225:53336 aaa.bbb.ccc.ddd:25  \
[lo=4270928094 high=4270993629 win=5840 modulator=0]  \
[lo=3752913744 high=3752919543 win=65535 modulator=0]  \
9:9 R seq=4270928094 ack=3752913744 len=0 ackskew=0 pkts=10:11
Dec 14 11:16:47 pf: loose state match: TCP  \
66.35.250.225:53336 66.35.250.225:53336 aaa.bbb.ccc.ddd:25  \
[lo=4270928094 high=4270993629 win=5840 modulator=0]  \
[lo=3752913744 high=3752919543 win=65535 modulator=0]  \
9:9 R seq=4270928094 ack=3752913744 len=0 ackskew=0 pkts=10:11
Dec 14 11:16:47 pf: loose state match: TCP  \
aaa.bbb.ccc.ddd:25 aaa.bbb.ccc.ddd:25 66.35.250.225:53336  \
[lo=3396551343 high=3396616878 win=5840 modulator=874376751]  \
[lo=3752913744 high=3752919543 win=65535 modulator=3189448930]  \
10:10 R seq=3396551343 ack=3752913744 len=0 ackskew=0 pkts=9:10
Dec 14 11:16:47 pf: loose state match: TCP  \
aaa.bbb.ccc.ddd:25 aaa.bbb.ccc.ddd:25 66.35.250.225:53336  \
[lo=3396551343 high=3396616878 win=5840 modulator=874376751]  \
[lo=3752913744 high=3752919543 win=65535 modulator=3189448930]  \
10:10 R seq=3396551343 ack=3752913744 len=0 ackskew=0 pkts=9:10
Dec 14 11:16:47 pf: loose state match: TCP  \
66.35.250.225:53336 66.35.250.225:53336 aaa.bbb.ccc.ddd:25  \
[lo=4270928094 high=4270993629 win=5840 modulator=0]  \
[lo=3752913744 high=3752919543 win=65535 modulator=0]  \
10:10 R seq=4270928094 ack=3752913744 len=0 ackskew=0 pkts=11:11
Dec 14 11:16:47 pf: loose state match: TCP  \
66.35.250.225:53336 66.35.250.225:53336 aaa.bbb.ccc.ddd:25  \
[lo=4270928094 high=4270993629 win=5840 modulator=0]  \
[lo=3752913744 high=3752919543 win=65535 modulator=0]  \
10:10 R seq=4270928094 ack=3752913744 len=0 ackskew=0 pkts=11:11
---------------------------------------------------------------------
Notice the difference in modulator.
My policy based filtering setup uses synproxy on internet interface only, 
not on dmz or intranet interfaces. Might this be an issue?

Any tips would be very helpful.
Axel
---------------------------------------------------------------------
Axel Rau, ☀Frankfurt , Germany                       +49 69 9514 18 0

Reply via email to