subject:"Re\: blocked FIN packets"

Re: blocked FIN packets

2010-12-25 Thread Jan Stary

On Dec 23 20:17:23, Jan Stary wrote:
  Speculation: this looks to me like an end of a valid http session:
  an internal clients reads a web page, and probably a few images,
  everything goes through, but the last FIN does not. The first SYN
  creates state that lets the subsequent packets through. Doesn't the
  last FIN belong to the same state? Also, this is an outgoing packet,
  which I explicitly allow.
  What can possibly be blocking these FIN packets?
 
 On Dec 23 02:39:59, Daniel E. Hassler wrote:
  Timing. State has probably timed out before the blocked packets are  
  received. Log the whole conversation - both ways for both Firefox and 
  lynx.
 
 On Dec 23 04:45:04, Brian Seklecki (Mobile) wrote:
   set timeout tcp.finwait 900
   set timeout tcp.closing 900
 
 You are both probably right. Thank you.
 
 With lynx  (that is, an internal client runs 'lynx www.ihned.cz')
 the conversation looks like this (tcpdump follows): two tcp connections
 are made (first receives 302 Found, the second one receives 200);
 the data is read; both connections are correctly FIN'd, the FINs
 are ack'd.  No packets get blocked.
 
 12:36:57.989903 mac.stare.cz.54703  www.ihned.cz.www: S 
 2635202717:2635202717(0) win 65535 mss 1460,nop,wscale 3,nop,nop,timestamp 
 743703535 0,sackOK,eol (DF)
 12:36:58.006316 www.ihned.cz.www  mac.stare.cz.54703: S 
 2401821844:2401821844(0) ack 2635202718 win 5792 mss 1380,sackOK,timestamp 
 3998698463 743703535,nop,wscale 7
 12:36:58.006483 mac.stare.cz.54703  www.ihned.cz.www: . ack 1 win 65535 
 nop,nop,timestamp 743703535 3998698463 (DF)
 12:36:58.006979 mac.stare.cz.54703  www.ihned.cz.www: P 1:303(302) ack 1 win 
 65535 nop,nop,timestamp 743703535 3998698463 (DF)
 12:36:58.018389 www.ihned.cz.www  mac.stare.cz.54703: . ack 303 win 54 
 nop,nop,timestamp 3998698464 743703535
 12:36:58.036406 www.ihned.cz.www  mac.stare.cz.54703: P 1:169(168) ack 303 
 win 54 nop,nop,timestamp 3998698466 743703535
 12:36:58.036774 mac.stare.cz.54703  www.ihned.cz.www: . ack 169 win 65535 
 nop,nop,timestamp 743703535 3998698466 (DF)
 12:36:58.036920 www.ihned.cz.www  mac.stare.cz.54703: F 169:169(0) ack 303 
 win 54 nop,nop,timestamp 3998698466 743703535
 12:36:58.037094 mac.stare.cz.54703  www.ihned.cz.www: . ack 170 win 65535 
 nop,nop,timestamp 743703535 3998698466 (DF)
 12:36:58.037990 mac.stare.cz.54703  www.ihned.cz.www: F 303:303(0) ack 170 
 win 65535 nop,nop,timestamp 743703535 3998698466 (DF)
 12:36:58.046266 www.ihned.cz.www  mac.stare.cz.54703: . ack 304 win 54 
 nop,nop,timestamp 3998698467 743703535
 
 (The first connection which received 302 Found ends here;
 the other one starts now.)
 
 12:37:00.040373 mac.stare.cz.54704  www.ihned.cz.www: S 
 3284050248:3284050248(0) win 65535 mss 1460,nop,wscale 3,nop,nop,timestamp 
 743703555 0,sackOK,eol (DF)
 12:37:00.052042 www.ihned.cz.www  mac.stare.cz.54704: S 
 3325100471:3325100471(0) ack 3284050249 win 5792 mss 1380,sackOK,timestamp 
 3998698668 743703555,nop,wscale 7
 12:37:00.052393 mac.stare.cz.54704  www.ihned.cz.www: . ack 1 win 65535 
 nop,nop,timestamp 743703556 3998698668 (DF)
 12:37:00.053022 mac.stare.cz.54704  www.ihned.cz.www: P 1:299(298) ack 1 win 
 65535 nop,nop,timestamp 743703556 3998698668 (DF)
 12:37:00.061764 www.ihned.cz.www  mac.stare.cz.54704: . ack 299 win 54 
 nop,nop,timestamp 3998698669 743703556
 [...]
 12:37:00.220313 www.ihned.cz.www  mac.stare.cz.54704: . 82081:83449(1368) 
 ack 299 win 54 nop,nop,timestamp 3998698682 743703557
 12:37:00.220486 www.ihned.cz.www  mac.stare.cz.54704: . 83449:84817(1368) 
 ack 299 win 54 nop,nop,timestamp 3998698682 743703557
 12:37:00.220539 www.ihned.cz.www  mac.stare.cz.54704: FP 84817:84919(102) 
 ack 299 win 54 nop,nop,timestamp 3998698682 743703557
 12:37:00.220620 mac.stare.cz.54704  www.ihned.cz.www: . ack 82081 win 65535 
 nop,nop,timestamp 743703557 3998698682 (DF)
 12:37:00.220858 mac.stare.cz.54704  www.ihned.cz.www: . ack 84920 win 65309 
 nop,nop,timestamp 743703557 3998698682 (DF)
 12:37:00.222642 mac.stare.cz.54704  www.ihned.cz.www: F 299:299(0) ack 84920 
 win 65535 nop,nop,timestamp 743703557 3998698682 (DF)
 12:37:00.229482 www.ihned.cz.www  mac.stare.cz.54704: . ack 300 win 54 
 nop,nop,timestamp 3998698686 743703557
 
 
 With firefox on the other hand, this is what happens: six connections
 are made (ports 54748-54753) to get the page itself and the css and the
 images. Data is read on the connections; then the remote end sends
 a FIN for one of these connections (I am isolating port 54768; the very
 same happens on the other ports, too):
 
 [...]
 13:08:07.915873 www.ihned.cz.www  mac.stare.cz.54748: F 517:517(0) ack 637 
 win 56 nop,nop,timestamp 3992488807 743721564
 
 The internal client ACKs the FIN ...
 
 13:08:07.916238 mac.stare.cz.54748  www.ihned.cz.www: . ack 518 win 65535 
 nop,nop,timestamp 743722213 3992488807 (DF)
 
 and sends its own FIN later:
 
 13:08:21.284154 mac.stare.cz.54748  www.ihned.cz.www: F 637:637(0) ack 518 
 win

Re: blocked FIN packets

2010-12-25 Thread Jan Stary

  All of these FINs go through, but never receive an ACK (why?).
 
 Because the other side sucks and decided to violate the TCP RFC by fast
 closing connections without waiting proper session shutdown to free
 sockets quickly and since that is not enough they even decided to not
 send a RST back to such FIN packets. So you lose, live with it there is
 nothing you can do against this. The Internet is full of such suckers.

Is there a way to make sure that thsi is what's happening?

 At the same time firefox seems to be a snail and needs a lot of time to
 figure out that a connection got half closed. Keepalive at its best.

With 'set optimization conservative', all the timeouts get
bumped to much bigger values; I no longer see the blocked FINs.
But that's not because they have more time (if the other side
never ACKs my FINs, they will lose state at some point),
but the application (firefox) now sends its FIN much faster,
and it gets ACKed. What does 'optimzation conservative' do
besides bumping up the timeout values. How does that influence
running applications (wrt how they close connections)?

  Then, these FINs start to get blocked. First such is
  
  13:10:28.363318 mac.stare.cz.54748  www.ihned.cz.www: F 637:637(0) ack 518 
  win 65535 nop,nop,timestamp 743723615 3992488807 (DF)
  
  The corresponding line from 'tcpdump -e -i pflog0' is
  
  13:10:28.363655 rule 15/(match) block in on vr1: mac.stare.cz.54748  
  www.ihned.cz.www: F 4189102151:4189102151(0) ack 1081156646 win 65535 
  nop,nop,timestamp 743723615 3992488807 (DF)
  
  (I am assuming it is the same packet, as the timestamp differs by
  less then a milisecond.)
  
  The first FIN we tried to send was at 13:08:21; tcp.closing is 900s;
  (tcp.closing: The state after the first FIN has been sent.) So we
  are well within the timeout.
 
 You sure that your state is in the closing state and not in FINWAIT or
 CLOSED? The first FIN will move the state to closing and the other side
 sending the 2nd FIN will move the state to CLOSED (IIRC)

I am not sure. But the first FIN is sent by the other side (moving the
state to closing), we ACK it, and send our FIN (moving the state to
finwait?), which never gets ACKed.

 so you will end up with a much shorter 90s timeout.

This is indeed the first packet that goes over 90s:
the first (remote) FIN came at 13:08:07
the last FIN we send that goes through is 13:09:24 (i.e. 77s later)
the first FIN that is blocked is at 13:10:28 (i.e. 141s later)
But where does the 90s limt come from? Without further
configuration, pf has a tcp.finwait of 45s.

 The first FIN we tried to send was at 13:08:21; tcp.closing is 900s;
 (tcp.closing: The state after the first FIN has been sent.) So we
 are well within the timeout.

I am probably misunderstanding something.
tcp.closing: The state after the first FIN has been sent.
That does not mean the first FIN _we_ sent. The first FIN
was sent by the other side, at 13:08:07.

The state we are in now _is_ tcp.closing, right? The first FIN has been
sent. It's not tcp.finwait: the state after both FINs have been exchanged,
right? Because the FINs have not been exchanged - our FIN has not been ACKed.
Or does pf consider this finwait already, because we have acked the remote
FIN, and sent our FIN?

Either way, this packet is not the first one to go over tcp.finwait = 45s.
(And it is well withnin tcp.closing = 900s.) So why is this the first
one that got blocked?

Thank you for your time

Jan

Re: blocked FIN packets

2010-12-23 Thread Jan Stary

On Dec 22 19:54:28, Forman, Jeffrey wrote:
 On Wed, Dec 22, 2010 at 5:41 PM, Jan Stary h...@stare.cz wrote:
 
  Speculation: this looks to me like an end of a valid http session:
  an internal clients reads a web page, and probably a few images,
  everything goes through, but the last FIN does not. The first SYN
  creates state that lets the subsequent packets through. Doesn't the
  last FIN belong to the same state? Also, this is an outgoing packet,
  which I explicitly allow.
 
  What can possibly be blocking these FIN packets?
 
 
 Jan,
 
 I have run into a similiar situation where I had packets getting blocked
 through my OpenBSD fw and could not figure out why.
 
 The couple pieces of code I tend to use to debug such a thing:
 
 1. The 'log' and 'log (all)' statements in pf.conf. Take your pick of the
 two and throw them on all your block statements.

Yes, that's how I see the blocked packets.

 2. Following that, I run 'tcpdump -n -ttt -e -i pflog0'. This shows me not
 only the packets being logged, but also the pf rules blocking them. Example:
 Dec 22 19:24:13.564109 rule 8/(match) block in on vr0: 115.178.83.69.6000 
 96.21.64.23.2967: S 449708032:449708032(0) win 16384 [tos 0x20]

Thanks. It's some time I have read tcpdump(8).

09:07:02.849975 rule 15/(match) block in on vr1: mac.stare.cz.54254 
www.ihned.cz.www: F 2622397051:2622397051(0) ack 1936803033 win 65535
nop,nop,timestamp 743577732 1811533502 (DF)


 I see this is rule 8. I then run 'pfctl -s rules -vv' 
 [...]
 I find that by combining these two debugging tools, I am able to pin
 point the rule that might be blocking a specific set of connections.

The rule that's blocking my FIN packets is the block drop log all.
Which is the only block rule I have, the rest of pf.conf just
explicitly allows the intended traffic (see the original mail).

So my question remains: if these are FINs of the few http conections
that take place when an internal client looks at www.ihned.cz (which it
seems), why are they not let through by the state that was created form
these connections?

This is blocked 'in' on the internal interface (vr1),
where the 'in' rules are (see orig mail for full pf.conf):

pass  in on $int proto icmp from any to  ($int)
pass  in on $int proto { tcp udp }  from any to  ($int) port bootps
pass  in on $int proto { tcp udp }  from any to  ($int) port domain
pass  in on $int proto tcp  from any to  ($int) port ssh
pass  in on $intfrom any to !($int) tag INT

Maybe I am missing something here: the first four rules are supposed
to allow traffic from the internal hosts to the gateway itself (dhcp
etc), and the fifth rule is supposed to pass traffic to the outside
(which gets natted later on the external interface). A packet such as
mac.stare.cz.54254  www.ihned.cz.www: F 2622397051:2622397051(0)
seems to me to be that case (right?).

The only communication that the internal client (mac.stare.cz) has with
the outside host (www.ihned.cz) is that a browser (firefox) is used
to look at a webpage. If the internal clients does the same with lynx,
there are no blocked FIN packets on the internal interface.

What am I missing here?

Thank you for your time

Jan

Re: blocked FIN packets

2010-12-23 Thread Daniel E. Hassler

Timing. State has probably timed out before the blocked packets are 
received. Log the whole conversation - both ways for both Firefox and lynx.


On 12/23/10 12:47 AM, Jan Stary wrote:

On Dec 22 19:54:28, Forman, Jeffrey wrote:

On Wed, Dec 22, 2010 at 5:41 PM, Jan Staryh...@stare.cz  wrote:


Speculation: this looks to me like an end of a valid http session:
an internal clients reads a web page, and probably a few images,
everything goes through, but the last FIN does not. The first SYN
creates state that lets the subsequent packets through. Doesn't the
last FIN belong to the same state? Also, this is an outgoing packet,
which I explicitly allow.

What can possibly be blocking these FIN packets?



Jan,

I have run into a similiar situation where I had packets getting blocked
through my OpenBSD fw and could not figure out why.

The couple pieces of code I tend to use to debug such a thing:

1. The 'log' and 'log (all)' statements in pf.conf. Take your pick of the
two and throw them on all your block statements.

Yes, that's how I see the blocked packets.


2. Following that, I run 'tcpdump -n -ttt -e -i pflog0'. This shows me not
only the packets being logged, but also the pf rules blocking them. Example:
Dec 22 19:24:13.564109 rule 8/(match) block in on vr0: 115.178.83.69.6000
96.21.64.23.2967: S 449708032:449708032(0) win 16384 [tos 0x20]

Thanks. It's some time I have read tcpdump(8).

09:07:02.849975 rule 15/(match) block in on vr1: mac.stare.cz.54254
www.ihned.cz.www: F 2622397051:2622397051(0) ack 1936803033 win 65535
nop,nop,timestamp 743577732 1811533502  (DF)



I see this is rule 8. I then run 'pfctl -s rules -vv'
[...]
I find that by combining these two debugging tools, I am able to pin
point the rule that might be blocking a specific set of connections.

The rule that's blocking my FIN packets is the block drop log all.
Which is the only block rule I have, the rest of pf.conf just
explicitly allows the intended traffic (see the original mail).

So my question remains: if these are FINs of the few http conections
that take place when an internal client looks at www.ihned.cz (which it
seems), why are they not let through by the state that was created form
these connections?

This is blocked 'in' on the internal interface (vr1),
where the 'in' rules are (see orig mail for full pf.conf):

pass  in on $int proto icmp from any to  ($int)
pass  in on $int proto { tcp udp }  from any to  ($int) port bootps
pass  in on $int proto { tcp udp }  from any to  ($int) port domain
pass  in on $int proto tcp  from any to  ($int) port ssh
pass  in on $intfrom any to !($int) tag INT

Maybe I am missing something here: the first four rules are supposed
to allow traffic from the internal hosts to the gateway itself (dhcp
etc), and the fifth rule is supposed to pass traffic to the outside
(which gets natted later on the external interface). A packet such as
mac.stare.cz.54254  www.ihned.cz.www: F 2622397051:2622397051(0)
seems to me to be that case (right?).

The only communication that the internal client (mac.stare.cz) has with
the outside host (www.ihned.cz) is that a browser (firefox) is used
to look at a webpage. If the internal clients does the same with lynx,
there are no blocked FIN packets on the internal interface.

What am I missing here?

Thank you for your time

Jan

Re: blocked FIN packets

2010-12-23 Thread Brian Seklecki (Mobile)


set skip on lo
set block-policy drop


 set timeout tcp.finwait 900
 set timeout tcp.closing 900

 (There also an adaptive setting based on load)


   Your client, if its really a mac, may have a sysctl like

...net.inet.tcp.finwait2_timeout: 6
...   net.inet.tcp.finwait2_timeout: FIN-WAIT2 timeout

Or something similar ~BAS

Re: blocked FIN packets

2010-12-23 Thread Jan Stary

 Speculation: this looks to me like an end of a valid http session:
 an internal clients reads a web page, and probably a few images,
 everything goes through, but the last FIN does not. The first SYN
 creates state that lets the subsequent packets through. Doesn't the
 last FIN belong to the same state? Also, this is an outgoing packet,
 which I explicitly allow.
 What can possibly be blocking these FIN packets?

On Dec 23 02:39:59, Daniel E. Hassler wrote:
 Timing. State has probably timed out before the blocked packets are  
 received. Log the whole conversation - both ways for both Firefox and 
 lynx.

On Dec 23 04:45:04, Brian Seklecki (Mobile) wrote:
  set timeout tcp.finwait 900
  set timeout tcp.closing 900

You are both probably right. Thank you.

With lynx  (that is, an internal client runs 'lynx www.ihned.cz')
the conversation looks like this (tcpdump follows): two tcp connections
are made (first receives 302 Found, the second one receives 200);
the data is read; both connections are correctly FIN'd, the FINs
are ack'd.  No packets get blocked.

12:36:57.989903 mac.stare.cz.54703  www.ihned.cz.www: S 
2635202717:2635202717(0) win 65535 mss 1460,nop,wscale 3,nop,nop,timestamp 
743703535 0,sackOK,eol (DF)
12:36:58.006316 www.ihned.cz.www  mac.stare.cz.54703: S 
2401821844:2401821844(0) ack 2635202718 win 5792 mss 1380,sackOK,timestamp 
3998698463 743703535,nop,wscale 7
12:36:58.006483 mac.stare.cz.54703  www.ihned.cz.www: . ack 1 win 65535 
nop,nop,timestamp 743703535 3998698463 (DF)
12:36:58.006979 mac.stare.cz.54703  www.ihned.cz.www: P 1:303(302) ack 1 win 
65535 nop,nop,timestamp 743703535 3998698463 (DF)
12:36:58.018389 www.ihned.cz.www  mac.stare.cz.54703: . ack 303 win 54 
nop,nop,timestamp 3998698464 743703535
12:36:58.036406 www.ihned.cz.www  mac.stare.cz.54703: P 1:169(168) ack 303 win 
54 nop,nop,timestamp 3998698466 743703535
12:36:58.036774 mac.stare.cz.54703  www.ihned.cz.www: . ack 169 win 65535 
nop,nop,timestamp 743703535 3998698466 (DF)
12:36:58.036920 www.ihned.cz.www  mac.stare.cz.54703: F 169:169(0) ack 303 win 
54 nop,nop,timestamp 3998698466 743703535
12:36:58.037094 mac.stare.cz.54703  www.ihned.cz.www: . ack 170 win 65535 
nop,nop,timestamp 743703535 3998698466 (DF)
12:36:58.037990 mac.stare.cz.54703  www.ihned.cz.www: F 303:303(0) ack 170 win 
65535 nop,nop,timestamp 743703535 3998698466 (DF)
12:36:58.046266 www.ihned.cz.www  mac.stare.cz.54703: . ack 304 win 54 
nop,nop,timestamp 3998698467 743703535

(The first connection which received 302 Found ends here;
the other one starts now.)

12:37:00.040373 mac.stare.cz.54704  www.ihned.cz.www: S 
3284050248:3284050248(0) win 65535 mss 1460,nop,wscale 3,nop,nop,timestamp 
743703555 0,sackOK,eol (DF)
12:37:00.052042 www.ihned.cz.www  mac.stare.cz.54704: S 
3325100471:3325100471(0) ack 3284050249 win 5792 mss 1380,sackOK,timestamp 
3998698668 743703555,nop,wscale 7
12:37:00.052393 mac.stare.cz.54704  www.ihned.cz.www: . ack 1 win 65535 
nop,nop,timestamp 743703556 3998698668 (DF)
12:37:00.053022 mac.stare.cz.54704  www.ihned.cz.www: P 1:299(298) ack 1 win 
65535 nop,nop,timestamp 743703556 3998698668 (DF)
12:37:00.061764 www.ihned.cz.www  mac.stare.cz.54704: . ack 299 win 54 
nop,nop,timestamp 3998698669 743703556
[...]
12:37:00.220313 www.ihned.cz.www  mac.stare.cz.54704: . 82081:83449(1368) ack 
299 win 54 nop,nop,timestamp 3998698682 743703557
12:37:00.220486 www.ihned.cz.www  mac.stare.cz.54704: . 83449:84817(1368) ack 
299 win 54 nop,nop,timestamp 3998698682 743703557
12:37:00.220539 www.ihned.cz.www  mac.stare.cz.54704: FP 84817:84919(102) ack 
299 win 54 nop,nop,timestamp 3998698682 743703557
12:37:00.220620 mac.stare.cz.54704  www.ihned.cz.www: . ack 82081 win 65535 
nop,nop,timestamp 743703557 3998698682 (DF)
12:37:00.220858 mac.stare.cz.54704  www.ihned.cz.www: . ack 84920 win 65309 
nop,nop,timestamp 743703557 3998698682 (DF)
12:37:00.222642 mac.stare.cz.54704  www.ihned.cz.www: F 299:299(0) ack 84920 
win 65535 nop,nop,timestamp 743703557 3998698682 (DF)
12:37:00.229482 www.ihned.cz.www  mac.stare.cz.54704: . ack 300 win 54 
nop,nop,timestamp 3998698686 743703557


With firefox on the other hand, this is what happens: six connections
are made (ports 54748-54753) to get the page itself and the css and the
images. Data is read on the connections; then the remote end sends
a FIN for one of these connections (I am isolating port 54768; the very
same happens on the other ports, too):

[...]
13:08:07.915873 www.ihned.cz.www  mac.stare.cz.54748: F 517:517(0) ack 637 win 
56 nop,nop,timestamp 3992488807 743721564

The internal client ACKs the FIN ...

13:08:07.916238 mac.stare.cz.54748  www.ihned.cz.www: . ack 518 win 65535 
nop,nop,timestamp 743722213 3992488807 (DF)

and sends its own FIN later:

13:08:21.284154 mac.stare.cz.54748  www.ihned.cz.www: F 637:637(0) ack 518 win 
65535 nop,nop,timestamp 743722346 3992488807 (DF)

Comparing the timestamps, that's fourteen seconds after the client
sent the ACK for the

Re: blocked FIN packets

2010-12-23 Thread Claudio Jeker

On Thu, Dec 23, 2010 at 08:17:23PM +0100, Jan Stary wrote:
  Speculation: this looks to me like an end of a valid http session:
  an internal clients reads a web page, and probably a few images,
  everything goes through, but the last FIN does not. The first SYN
  creates state that lets the subsequent packets through. Doesn't the
  last FIN belong to the same state? Also, this is an outgoing packet,
  which I explicitly allow.
  What can possibly be blocking these FIN packets?
 
 On Dec 23 02:39:59, Daniel E. Hassler wrote:
  Timing. State has probably timed out before the blocked packets are  
  received. Log the whole conversation - both ways for both Firefox and 
  lynx.
 
 On Dec 23 04:45:04, Brian Seklecki (Mobile) wrote:
   set timeout tcp.finwait 900
   set timeout tcp.closing 900
 
 You are both probably right. Thank you.
 
 With lynx  (that is, an internal client runs 'lynx www.ihned.cz')
 the conversation looks like this (tcpdump follows): two tcp connections
 are made (first receives 302 Found, the second one receives 200);
 the data is read; both connections are correctly FIN'd, the FINs
 are ack'd.  No packets get blocked.
 
 12:36:57.989903 mac.stare.cz.54703  www.ihned.cz.www: S 
 2635202717:2635202717(0) win 65535 mss 1460,nop,wscale 3,nop,nop,timestamp 
 743703535 0,sackOK,eol (DF)
 12:36:58.006316 www.ihned.cz.www  mac.stare.cz.54703: S 
 2401821844:2401821844(0) ack 2635202718 win 5792 mss 1380,sackOK,timestamp 
 3998698463 743703535,nop,wscale 7
 12:36:58.006483 mac.stare.cz.54703  www.ihned.cz.www: . ack 1 win 65535 
 nop,nop,timestamp 743703535 3998698463 (DF)
 12:36:58.006979 mac.stare.cz.54703  www.ihned.cz.www: P 1:303(302) ack 1 win 
 65535 nop,nop,timestamp 743703535 3998698463 (DF)
 12:36:58.018389 www.ihned.cz.www  mac.stare.cz.54703: . ack 303 win 54 
 nop,nop,timestamp 3998698464 743703535
 12:36:58.036406 www.ihned.cz.www  mac.stare.cz.54703: P 1:169(168) ack 303 
 win 54 nop,nop,timestamp 3998698466 743703535
 12:36:58.036774 mac.stare.cz.54703  www.ihned.cz.www: . ack 169 win 65535 
 nop,nop,timestamp 743703535 3998698466 (DF)
 12:36:58.036920 www.ihned.cz.www  mac.stare.cz.54703: F 169:169(0) ack 303 
 win 54 nop,nop,timestamp 3998698466 743703535
 12:36:58.037094 mac.stare.cz.54703  www.ihned.cz.www: . ack 170 win 65535 
 nop,nop,timestamp 743703535 3998698466 (DF)
 12:36:58.037990 mac.stare.cz.54703  www.ihned.cz.www: F 303:303(0) ack 170 
 win 65535 nop,nop,timestamp 743703535 3998698466 (DF)
 12:36:58.046266 www.ihned.cz.www  mac.stare.cz.54703: . ack 304 win 54 
 nop,nop,timestamp 3998698467 743703535
 
 (The first connection which received 302 Found ends here;
 the other one starts now.)
 
 12:37:00.040373 mac.stare.cz.54704  www.ihned.cz.www: S 
 3284050248:3284050248(0) win 65535 mss 1460,nop,wscale 3,nop,nop,timestamp 
 743703555 0,sackOK,eol (DF)
 12:37:00.052042 www.ihned.cz.www  mac.stare.cz.54704: S 
 3325100471:3325100471(0) ack 3284050249 win 5792 mss 1380,sackOK,timestamp 
 3998698668 743703555,nop,wscale 7
 12:37:00.052393 mac.stare.cz.54704  www.ihned.cz.www: . ack 1 win 65535 
 nop,nop,timestamp 743703556 3998698668 (DF)
 12:37:00.053022 mac.stare.cz.54704  www.ihned.cz.www: P 1:299(298) ack 1 win 
 65535 nop,nop,timestamp 743703556 3998698668 (DF)
 12:37:00.061764 www.ihned.cz.www  mac.stare.cz.54704: . ack 299 win 54 
 nop,nop,timestamp 3998698669 743703556
 [...]
 12:37:00.220313 www.ihned.cz.www  mac.stare.cz.54704: . 82081:83449(1368) 
 ack 299 win 54 nop,nop,timestamp 3998698682 743703557
 12:37:00.220486 www.ihned.cz.www  mac.stare.cz.54704: . 83449:84817(1368) 
 ack 299 win 54 nop,nop,timestamp 3998698682 743703557
 12:37:00.220539 www.ihned.cz.www  mac.stare.cz.54704: FP 84817:84919(102) 
 ack 299 win 54 nop,nop,timestamp 3998698682 743703557
 12:37:00.220620 mac.stare.cz.54704  www.ihned.cz.www: . ack 82081 win 65535 
 nop,nop,timestamp 743703557 3998698682 (DF)
 12:37:00.220858 mac.stare.cz.54704  www.ihned.cz.www: . ack 84920 win 65309 
 nop,nop,timestamp 743703557 3998698682 (DF)
 12:37:00.222642 mac.stare.cz.54704  www.ihned.cz.www: F 299:299(0) ack 84920 
 win 65535 nop,nop,timestamp 743703557 3998698682 (DF)
 12:37:00.229482 www.ihned.cz.www  mac.stare.cz.54704: . ack 300 win 54 
 nop,nop,timestamp 3998698686 743703557
 
 
 With firefox on the other hand, this is what happens: six connections
 are made (ports 54748-54753) to get the page itself and the css and the
 images. Data is read on the connections; then the remote end sends
 a FIN for one of these connections (I am isolating port 54768; the very
 same happens on the other ports, too):
 
 [...]
 13:08:07.915873 www.ihned.cz.www  mac.stare.cz.54748: F 517:517(0) ack 637 
 win 56 nop,nop,timestamp 3992488807 743721564
 
 The internal client ACKs the FIN ...
 
 13:08:07.916238 mac.stare.cz.54748  www.ihned.cz.www: . ack 518 win 65535 
 nop,nop,timestamp 743722213 3992488807 (DF)
 
 and sends its own FIN later:
 
 13:08:21.284154 mac.stare.cz.54748  www.ihned.cz.www: F

Re: blocked FIN packets

2010-12-22 Thread Forman, Jeffrey

On Wed, Dec 22, 2010 at 5:41 PM, Jan Stary h...@stare.cz wrote:

 Speculation: this looks to me like an end of a valid http session:
 an internal clients reads a web page, and probably a few images,
 everything goes through, but the last FIN does not. The first SYN
 creates state that lets the subsequent packets through. Doesn't the
 last FIN belong to the same state? Also, this is an outgoing packet,
 which I explicitly allow.

 What can possibly be blocking these FIN packets?


Jan,

I have run into a similiar situation where I had packets getting blocked
through my OpenBSD fw and could not figure out why.

The couple pieces of code I tend to use to debug such a thing:

1. The 'log' and 'log (all)' statements in pf.conf. Take your pick of the
two and throw them on all your block statements.

2. Following that, I run 'tcpdump -n -ttt -e -i pflog0'. This shows me not
only the packets being logged, but also the pf rules blocking them. Example:
Dec 22 19:24:13.564109 rule 8/(match) block in on vr0: 115.178.83.69.6000 
96.21.64.23.2967: S 449708032:449708032(0) win 16384 [tos 0x20]

I see this is rule 8. I then run 'pfctl -s rules -vv' which among other
things, outputs

@8 block return in log all label block_all
  [ Evaluations: 1196726   Packets: 5786  Bytes: 352780  States:
0 ]
  [ Inserted: uid 0 pid 2220 State Creations: 0 ]

@8 corresponding to a particular PF rule.

I find that by combining these two debugging tools, I am able to pin
point the rule that might be blocking a specific set of connections.

Hope that helps.

Cheers,
Jeffrey

Re: blocked FIN packets

Re: blocked FIN packets

Re: blocked FIN packets

Re: blocked FIN packets

Re: blocked FIN packets

Re: blocked FIN packets

Re: blocked FIN packets

Re: blocked FIN packets

8 matches

Site Navigation

Mail list logo

Footer information