Re: FW: Strange smtp problem..
Daniel Rapp wrote: Update: I turned debug urgent on in pf and i get these in the logs. pf: BAD state: TCP aaa.aaa.aaa.aaa:25 aaa.aaa.aaa.aaa:25 ccc.ccc.ccc.ccc:2554 [lo=1937461566 high=1937478751 win=65535 modulator=0] [lo=740836633 high=740902095 win=17184 modulator=0] 4:4 R seq=1937461566 ack=740836633 len=0 ackskew=0 pkts=2:4 dir=in,fwd pf: State failure on: | Look here: http://www.mail-archive.com/pf@benzedrine.cx/msg07809.html I had exactly the same problem, and the workaround pointed out in the above link seems to work. It looks like you are running into the same problem. -- Ferdinand Goldmann | | |--00 |UNIX | Tel. : +43/732/2468/9398 Fax. : +43/732/2468/9397 C ^ | | EMail: [EMAIL PROTECTED]\ ~/ ~~~| PGP D4CF 8AA4 4B2A 7B88 65CA 5EDC 0A9B FA9A 13EA B993| |-3
Re: FW: Strange smtp problem..
On Wed, Jul 05, 2006 at 01:34:34PM +0200, Daniel Rapp wrote: pf: BAD state: TCP aaa.aaa.aaa.aaa:25 aaa.aaa.aaa.aaa:25 ccc.ccc.ccc.ccc:2554 [lo=1937461566 high=1937478751 win=65535 modulator=0] [lo=740836633 high=740902095 win=17184 modulator=0] 4:4 R seq=1937461566 ack=740836633 len=0 ackskew=0 pkts=2:4 dir=in,fwd pf: State failure on: | You're absolutely sure this is quoted/pasted correctly, the second line really has no numbers after the colon? Daniel
RE: FW: Strange smtp problem..
Yes, that one loks like that.. adding osfp IRIX 6.5 15 = 49152:64:0:48:0x403 4 (TS=,M=*0,W=*0) 801005 adding osfp IRIX 6.5 16 = 49152:64:0:48:0x403 4 (TS=,M=*0,W=*0) 801006 pf: BAD state: TCP aaa.aaa.aaa.aaa:25 aaa.aaa.aaa.aaa:25 bbb.bbb.bbb.bbb:2554 [lo=1937461566 high=1937478751 win=65535 modulator=0] [lo=740836633 high=740902095 win=17184 modulator=0] 4:4 R seq=1937461566 ack=740836633 len=0 ackskew=0 pkts=2:4 dir=in,fwd pf: State failure on: | adding osfp IRIX 6.5 17 = 49152:64:0:48:0x403 4 (TS=,M=*0,W=*0) 801007 adding osfp IRIX 6.5 18 = 49152:64:0:48:0x403 4 (TS=,M=*0,W=*0) 801008 But i also has some others that looks a little better, but not with the same machine.. pf: BAD state: TCP ccc.ccc.ccc.ccc:1433 ccc.ccc.ccc.ccc:1433 ddd.ddd.ddd.ddd:4575 [lo=3065509305 high=3065574509 win=64064 modulator=3501616518 wscale=3] [lo=1992758873 high=1993270690 win=65494 modulator=778980472 wscale=0] 9:9 S seq=3275529855 ack=1992758873 len=0 ackskew=0 pkts=7:6 dir=in,fwd pf: State failure on: 1 | 5 Mvh Daniel Rapp -Original Message- From: Daniel Hartmeier [mailto:[EMAIL PROTECTED] Sent: den 5 juli 2006 13:46 To: Daniel Rapp Cc: pf@benzedrine.cx Subject: Re: FW: Strange smtp problem.. On Wed, Jul 05, 2006 at 01:34:34PM +0200, Daniel Rapp wrote: pf: BAD state: TCP aaa.aaa.aaa.aaa:25 aaa.aaa.aaa.aaa:25 ccc.ccc.ccc.ccc:2554 [lo=1937461566 high=1937478751 win=65535 modulator=0] [lo=740836633 high=740902095 win=17184 modulator=0] 4:4 R seq=1937461566 ack=740836633 len=0 ackskew=0 pkts=2:4 dir=in,fwd pf: State failure on: | You're absolutely sure this is quoted/pasted correctly, the second line really has no numbers after the colon? Daniel smime.p7s Description: S/MIME cryptographic signature
Re: FW: Strange smtp problem..
On Wed, Jul 05, 2006 at 02:07:42PM +0200, Daniel Rapp wrote: pf: BAD state: TCP aaa.aaa.aaa.aaa:25 aaa.aaa.aaa.aaa:25 bbb.bbb.bbb.bbb:2554 [lo=1937461566 high=1937478751 win=65535 modulator=0] [lo=740836633 high=740902095 win=17184 modulator=0] 4:4 R seq=1937461566 ack=740836633 len=0 ackskew=0 pkts=2:4 dir=in,fwd pf: State failure on: | Ah, that means the RST didn't actually have a th_seq of 1937461566, we're logging after adjusting it (Ease sequencing restrictions on no data packets), somewhat confusing seeing that the first time ;) This message means a TCP RST packet (incoming on the external interface) was blocked by pf because its sequence number th_seq did not precisely match. We check for precise match to make guessing (blind reset attacks) harder. This is a RST that was sent from the external peer, and we blocked it. So it can't explain why the server produces a connection reset by peer log message. Maybe subsequent RSTs (also from the external peer) have exactly matching th_seq and pass. But none of this shows anything except that the RSTs seem to originate from the external peer... Daniel
