another reassemble tcp problem - details for PF developers

2010-01-15 Thread Alastair Johnson 
There has been 2 recent threads mentioning problems with reassemble tcp:

pf: reassemble tcp

problems with emails through pf



For info here is another. We solved the problem by removing this scrub.



We went from 4.3 with

scrub in all



to the latest 4.6 stable with

match in all scrub (reassemble tcp)



and bizarrely found we sometimes (~50%) couldnt FTP to several sites. It
would hang just before sending any data. This would happen about 50% of the
time and work fine the rest. It may be an irrelevant coincidence but each
FTP site that this happened with was Microsoft FTP. It never happened (ie
FTP always worked fine) with other server types. The OpenBSD firewall is
running ftp-proxy. The internal client is a linux desktop. Removing the
reassemble tcp scrub made the problem go away and a successful
connection/download every time.



We took tcpdumps on both the internal and external interfaces of the OpenBSD
firewall/ftp-proxy.



Looking at our capture on firewall internal interface, the payload of the
first TCP packet after the handshake seems to be ignored.  I see:



  Frames 26, 28, 29:  TCP handshake

  33:  first data from server

  34:  client then immediately sends ACK to server with seq=1

  35:  last of the data from server

  36:  server attempting to close connection

  37, 38:  Client sends two ACKs in quick succession, presumably responses
to 35, 36; sequence number is still 1

  ... server retransmits, client sends same ACKs, etc. until server gets
frustrated and sends a RST



It looks like the MS FTP server is being well-behaved, but each time some
data is received, the internal linux desktop immediately replies with an ACK
denying that any data was received.  This suggests that it's aware that it's
received some packets, but is rejecting the contents for some reason. Not
sure.



Looking at the capture on firewall external interface, is pretty much the
same, except that the second data packet (corresponding to #35) is
completely missing.  This might be a red herring.



Like I said I supply this info just for curiosity. We have it working now by
removing reassemble tcp - maybe its helpful to the PF developers, maybe not.
Below is the screen output from the internal linux desktop using lftp.



Many thanks,



Alastair Johnson















= NOT Working =

-bash-3.1$ lftp -c open -uA,B 198.80.165.171; debug; ls

 Connecting to 198.80.165.171 (198.80.165.171) port 21

--- 220 Microsoft FTP Service

--- FEAT

--- 530 Please login with USER and PASS.

--- AUTH TLS

--- 500 'AUTH TLS': command not understood

--- USER A

--- 331 Password required for A.

--- PASS B

--- 230-Welcome to Thomson Financial I/B/E/S FTP site.

--- This site is for authorized users only.

--- Any or all uses of this system and all files on

--- this system are monitored, recorded, and audited.

--- LOG OFF IMMEDIATELY if you do not agree to the

--- conditions stated in this warning.

--- 230 User A logged in.

--- FEAT

--- 211-FEAT

--- SIZE

--- MDTM

--- 211 END

--- PWD

--- 257 / is current directory.

--- PASV

--- 227 Entering Passive Mode (198,80,165,171,227,43)

 Connecting data socket to (198.80.165.171) port 58155

 Data connection established

--- LIST

--- 125 Data connection already open; Transfer starting.

--- 226 Transfer complete.

`ls' at 0 [Receiving data]

= Hang at this point ==







= Working =

snip



--- 230 User A logged in.

--- FEAT

--- 211-FEAT

--- SIZE

--- MDTM

--- 211 END

--- PWD

--- 257 / is current directory.

--- PASV

--- 227 Entering Passive Mode (198,80,165,171,198,136)

 Connecting data socket to (198.80.165.171) port 50824

 Data connection established

--- LIST

--- 125 Data connection already open; Transfer starting.

dr-xr-xr-x   1 ownergroup   0 Dec 22  2009 history

... and then more files/directories

another reassemble tcp problem - details for PF developers

2010-01-15 Thread Alastair Johnson 

There has been 2 recent threads mentioning problems with reassemble tcp:
pf: reassemble tcp
problems with emails through pf

For info here is another. We solved the problem by removing this scrub.

We went from 4.3 with
scrub in all

to the latest 4.6 stable with
match in all scrub (reassemble tcp)

and bizarrely found we sometimes (~50%) couldnt FTP to several sites. 
It would hang just before sending any data. This would happen about 50% 
of the time and work fine the rest. It may be an irrelevant coincidence 
but each FTP site that this happened with was Microsoft FTP. It never 
happened (ie FTP always worked fine) with other server types. The 
OpenBSD firewall is running ftp-proxy. The internal client is a linux 
desktop. Removing the reassemble tcp scrub made the problem go away 
and a successful connection/download every time.


We took tcpdumps on both the internal and external interfaces of the 
OpenBSD firewall/ftp-proxy.


Looking at our capture on firewall internal interface, the payload of 
the first TCP packet after the handshake seems to be ignored. I see:


Frames 26, 28, 29: TCP handshake
33: first data from server
34: client then immediately sends ACK to server with seq=1
35: last of the data from server
36: server attempting to close connection
37, 38: Client sends two ACKs in quick succession, presumably responses 
to 35, 36; sequence number is still 1
... server retransmits, client sends same ACKs, etc. until server gets 
frustrated and sends a RST


It looks like the MS FTP server is being well-behaved, but each time 
some data is received, the internal linux desktop immediately replies 
with an ACK denying that any data was received. This suggests that it's 
aware that it's received some packets, but is rejecting the contents for 
some reason. Not sure.


Looking at the capture on firewall external interface, is pretty much 
the same, except that the second data packet (corresponding to #35) is 
completely missing. This might be a red herring.


Like I said I supply this info just for curiosity. We have it working 
now by removing reassemble tcp - maybe its helpful to the PF developers, 
maybe not. Below is the screen output from the internal linux desktop 
using lftp.


Many thanks,

Alastair Johnson







= NOT Working =
-bash-3.1$ lftp -c open -uA,B 198.80.165.171; debug; ls
 Connecting to 198.80.165.171 (198.80.165.171) port 21
--- 220 Microsoft FTP Service
--- FEAT
--- 530 Please login with USER and PASS.
--- AUTH TLS
--- 500 'AUTH TLS': command not understood
--- USER A
--- 331 Password required for A.
--- PASS B
--- 230-Welcome to Thomson Financial I/B/E/S FTP site.
--- This site is for authorized users only.
--- Any or all uses of this system and all files on
--- this system are monitored, recorded, and audited.
--- LOG OFF IMMEDIATELY if you do not agree to the
--- conditions stated in this warning.
--- 230 User A logged in.
--- FEAT
--- 211-FEAT
--- SIZE
--- MDTM
--- 211 END
--- PWD
--- 257 / is current directory.
--- PASV
--- 227 Entering Passive Mode (198,80,165,171,227,43)
 Connecting data socket to (198.80.165.171) port 58155
 Data connection established
--- LIST
--- 125 Data connection already open; Transfer starting.
--- 226 Transfer complete.
`ls' at 0 [Receiving data]
= Hang at this point ==



= Working =
snip

--- 230 User A logged in.
--- FEAT
--- 211-FEAT
--- SIZE
--- MDTM
--- 211 END
--- PWD
--- 257 / is current directory.
--- PASV
--- 227 Entering Passive Mode (198,80,165,171,198,136)
 Connecting data socket to (198.80.165.171) port 50824
 Data connection established
--- LIST
--- 125 Data connection already open; Transfer starting.
dr-xr-xr-x 1 owner group 0 Dec 22 2009 history
... and then more files/directories

Re: another reassemble tcp problem - details for PF developers

2010-01-15 Thread Stuart Henderson 
On 2010-01-15, Alastair Johnson att...@googlemail.com wrote:
 We went from 4.3 with
 scrub in all
   
 to the latest 4.6 stable with
 match in all scrub (reassemble tcp)

'scrub in all' on 4.3 is the same as 'scrub in all fragment reassemble'   
which is now done by default.

If you had done 'scrub in all reassemble tcp' on 4.3 you would probably
see the problem there too.

 and bizarrely found we sometimes (~50%) couldn?t FTP to several sites.   

Do you have any examples of public sites affected? ftp.microsoft.com
doesn't do this for me via 'scrub (reassemble tcp)' in -current.

Re: another reassemble tcp problem - details for PF developers

2010-01-15 Thread Alastair Johnson 
no - only ftp to ftp.ibes.com and ftp to www.chi-x.com which are not public.
it seems to have failed after login just before or just as data started to
flow.

the strange thing is that data download works about half the time with
reassemble tcp switched on and all the time with it off.

appologies if i sent to the list more than once.

could possibly provide a traffic capture but i'm not sure how to strip out
unencrypted login details.




2010/1/15 Stuart Henderson s...@spacehopper.org

 On 2010-01-15, Alastair Johnson att...@googlemail.com wrote:
  We went from 4.3 with
  scrub in all
 
  to the latest 4.6 stable with
  match in all scrub (reassemble tcp)

 'scrub in all' on 4.3 is the same as 'scrub in all fragment reassemble'
 which is now done by default.

 If you had done 'scrub in all reassemble tcp' on 4.3 you would probably
 see the problem there too.

  and bizarrely found we sometimes (~50%) couldn?t FTP to several sites.

 Do you have any examples of public sites affected? ftp.microsoft.com
 doesn't do this for me via 'scrub (reassemble tcp)' in -current.

Re: another reassemble tcp problem - details for PF developers

2010-01-15 Thread Michal 
snip

It may be an irrelevant coincidence but each
FTP site that this happened with was Microsoft FTP. It never happened (ie
FTP always worked fine) with other server types.

snip



I don't know if this matters, but I had some problems recently with
people downloading from external FTP servers and we found it had
something to do with the FTP client and the use of either the client of
external server using passive mode. I can't remember the exact details
but it came down to a the ms-client/server working differently then
expected...this probably won't help anyone but it might

another reassemble tcp problem - details for PF developers

2010-01-14 Thread Alastair Johnson 
There has been 2 recent threads mentioning problems with reassemble tcp:
pf: reassemble tcp
problems with emails through pf

For info here is another. We solved the problem by removing this scrub.

We went from 4.3 with
scrub in all

to the latest 4.6 stable with
match in all scrub (reassemble tcp)

and bizarrely found we sometimes (~50%) couldnt FTP to several sites.
It would hang just before sending any data. This would happen about
50% of the time and work fine the rest. It may be an irrelevant
coincidence but each FTP site that this happened with was Microsoft
FTP. It never happened (ie FTP always worked fine) with other server
types. The OpenBSD firewall is running ftp-proxy. The internal client
is a linux desktop. Removing the reassemble tcp scrub made the
problem go away and a successful connection/download every time.

We took tcpdumps on both the internal and external interfaces of the
OpenBSD firewall/ftp-proxy.

Looking at our capture on firewall internal interface, the payload of
the first TCP packet after the handshake seems to be ignored.  I see:

  Frames 26, 28, 29:  TCP handshake
  33:  first data from server
  34:  client then immediately sends ACK to server with seq=1
  35:  last of the data from server
  36:  server attempting to close connection
  37, 38:  Client sends two ACKs in quick succession, presumably
responses to 35, 36; sequence number is still 1
  ... server retransmits, client sends same ACKs, etc. until server
gets frustrated and sends a RST

It looks like the MS FTP server is being well-behaved, but each time
some data is received, the internal linux desktop immediately replies
with an ACK denying that any data was received.  This suggests that
it's aware that it's received some packets, but is rejecting the
contents for some reason. Not sure.

Looking at the capture on firewall external interface, is pretty much
the same, except that the second data packet (corresponding to #35) is
completely missing.  This might be a red herring.

Like I said I supply this info just for curiosity. We have it working
now by removing reassemble tcp - maybe its helpful to the PF
developers, maybe not. Below is the screen output from the internal
linux desktop using lftp.

Many thanks,

Alastair Johnson







= NOT Working =
-bash-3.1$ lftp -c open -uA,B 198.80.165.171; debug; ls
 Connecting to 198.80.165.171 (198.80.165.171) port 21
--- 220 Microsoft FTP Service
--- FEAT
--- 530 Please login with USER and PASS.
--- AUTH TLS
--- 500 'AUTH TLS': command not understood
--- USER A
--- 331 Password required for A.
--- PASS B
--- 230-Welcome to Thomson Financial I/B/E/S FTP site.
--- This site is for authorized users only.
--- Any or all uses of this system and all files on
--- this system are monitored, recorded, and audited.
--- LOG OFF IMMEDIATELY if you do not agree to the
--- conditions stated in this warning.
--- 230 User A logged in.
--- FEAT
--- 211-FEAT
--- SIZE
--- MDTM
--- 211 END
--- PWD
--- 257 / is current directory.
--- PASV
--- 227 Entering Passive Mode (198,80,165,171,227,43)
 Connecting data socket to (198.80.165.171) port 58155
 Data connection established
--- LIST
--- 125 Data connection already open; Transfer starting.
--- 226 Transfer complete.
`ls' at 0 [Receiving data]
= Hang at this point ==



= Working =
snip

--- 230 User A logged in.
--- FEAT
--- 211-FEAT
--- SIZE
--- MDTM
--- 211 END
--- PWD
--- 257 / is current directory.
--- PASV
--- 227 Entering Passive Mode (198,80,165,171,198,136)
 Connecting data socket to (198.80.165.171) port 50824
 Data connection established
--- LIST
--- 125 Data connection already open; Transfer starting.
dr-xr-xr-x   1 ownergroup   0 Dec 22  2009 history
... and then more files/directories

reassemble tcp problem - details for PF developers

2010-01-14 Thread Alastair Johnson 
There has been 2 recent threads mentioning problems with reassemble tcp:
pf: reassemble tcp
problems with emails through pf

For info here is another. We solved the problem by removing this scrub.

We went from 4.3 with
scrub in all

to the latest 4.6 stable with
match in all scrub (reassemble tcp)

and bizarrely found we sometimes (~50%) couldnt FTP to several sites.
It would hang just before sending any data. This would happen about
50% of the time and work fine the rest. It may be an irrelevant
coincidence but each FTP site that this happened with was Microsoft
FTP. It never happened (ie FTP always worked fine) with other server
types. The OpenBSD firewall is running ftp-proxy. The internal client
is a linux desktop. Removing the reassemble tcp scrub made the
problem go away and a successful connection/download every time.

We took tcpdumps on both the internal and external interfaces of the
OpenBSD firewall/ftp-proxy.

Looking at our capture on firewall internal interface, the payload of
the first TCP packet after the handshake seems to be ignored.  I see:

 Frames 26, 28, 29:  TCP handshake
 33:  first data from server
 34:  client then immediately sends ACK to server with seq=1
 35:  last of the data from server
 36:  server attempting to close connection
 37, 38:  Client sends two ACKs in quick succession, presumably
responses to 35, 36; sequence number is still 1
 ... server retransmits, client sends same ACKs, etc. until server
gets frustrated and sends a RST

It looks like the MS FTP server is being well-behaved, but each time
some data is received, the internal linux desktop immediately replies
with an ACK denying that any data was received.  This suggests that
it's aware that it's received some packets, but is rejecting the
contents for some reason. Not sure.

Looking at the capture on firewall external interface, is pretty much
the same, except that the second data packet (corresponding to #35) is
completely missing.  This might be a red herring.

Like I said I supply this info just for curiosity. We have it working
now by removing reassemble tcp - maybe its helpful to the PF
developers, maybe not. Below is the screen output from the internal
linux desktop using lftp.

Many thanks,

Alastair Johnson







= NOT Working =
-bash-3.1$ lftp -c open -uA,B 198.80.165.171; debug; ls
 Connecting to 198.80.165.171 (198.80.165.171) port 21
--- 220 Microsoft FTP Service
--- FEAT
--- 530 Please login with USER and PASS.
--- AUTH TLS
--- 500 'AUTH TLS': command not understood
--- USER A
--- 331 Password required for A.
--- PASS B
--- 230-Welcome to Thomson Financial I/B/E/S FTP site.
--- This site is for authorized users only.
--- Any or all uses of this system and all files on
--- this system are monitored, recorded, and audited.
--- LOG OFF IMMEDIATELY if you do not agree to the
--- conditions stated in this warning.
--- 230 User A logged in.
--- FEAT
--- 211-FEAT
--- SIZE
--- MDTM
--- 211 END
--- PWD
--- 257 / is current directory.
--- PASV
--- 227 Entering Passive Mode (198,80,165,171,227,43)
 Connecting data socket to (198.80.165.171) port 58155
 Data connection established
--- LIST
--- 125 Data connection already open; Transfer starting.
--- 226 Transfer complete.
`ls' at 0 [Receiving data]
= Hang at this point ==



= Working =
snip

--- 230 User A logged in.
--- FEAT
--- 211-FEAT
--- SIZE
--- MDTM
--- 211 END
--- PWD
--- 257 / is current directory.
--- PASV
--- 227 Entering Passive Mode (198,80,165,171,198,136)
 Connecting data socket to (198.80.165.171) port 50824
 Data connection established
--- LIST
--- 125 Data connection already open; Transfer starting.
dr-xr-xr-x   1 ownergroup   0 Dec 22  2009 history
... and then more files/directories