[OT] Re: TCP conection problems IBM VM - FreeBSD

2007-03-25 Thread Ian Smith
On Sat, 24 Mar 2007 07:40:50 -0400 Richard reckons:
[..]
   Then I started thinking (always a fruitless endeavor), why would a *BSD
  based firewall/IP stack drop the corresponding SYN-ACK when it was
  activated?  And that thought just fucking bugged me to no end.  I could
  accept some crazy IBM IP stack not dealing with *BSD, but this was
  *BSD box to *BSD box on the return path that dropped the packet. Also,
  according to the original poster bang.swox.se has no problems
  communicating with other systems and he has no problems communicating to
  vm.se.lsoft.com.

I can't help with the Real Problem here, hence Subject change, but ..

[..]
   ** After looking through Stevens TCP/IP Illustrated I can find no
  reference to what sequence number a RST packet should have if a SYN-ACK
  precedes it.  I'm unsure whether the RST should ACK the SYN + 1, as a
  SYN consumes a byte in normal operation, or return the ISN to the
  sending host. But as sending a RST in response to a SYN-ACK is not
  normal operation; such ambiguities would likely be left to the
  programmers discretion.  In this case IBM not a stack derived from *BSD.

Secondly, the IBM TCP/IP stack and most userland network utilities were
declaredly BSD-derived at least through the '90s OS/2 times - and likely
much earlier, but I've not played with an IBM mainframe since '73 :)

But firstly, I wonder why you'd expect IBM to run 'some crazy' stack?

  this now opens a whole new box of worms?!?!?

Hopefully not ..

Cheers, Ian

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: TCP conection problems IBM VM - FreeBSD

2007-03-24 Thread Richard

 These are the ones the correspond.  They come in bursts like that.  If
 I let it run a little longer, I get output like this:
   
 19:45:56.939958 IP vm.se.lsoft.com.58679  bang.swox.se.smtp: S 
 678305700:678305700(0) win 8192 mss 1420,wscale 0,nop,nop,nop,timestamp 
 2317060084 0
 19:45:56.940154 IP bang.swox.se.smtp  vm.se.lsoft.com.58679: S 
 3183232720:3183232720(0) ack 678305701 win 57344 mss 1460,nop,wscale 
 0,nop,nop,timestamp 24588210 2317060084
 19:45:56.974421 IP vm.se.lsoft.com.58679  bang.swox.se.smtp: R 
 678305701:678305701(0) win 0
 19:45:59.939737 IP vm.se.lsoft.com.58679  bang.swox.se.smtp: S 
 678305700:678305700(0) win 8192 mss 1420,wscale 0,nop,nop,nop,timestamp 
 2317247594 0
 19:45:59.939905 IP bang.swox.se.smtp  vm.se.lsoft.com.58679: S 
 1749284606:1749284606(0) ack 678305701 win 57344 mss 1460,nop,wscale 
 0,nop,nop,timestamp 24588510 2317247594
 19:45:59.978666 IP vm.se.lsoft.com.58679  bang.swox.se.smtp: R 
 678305701:678305701(0) win 0
 19:46:05.940041 IP vm.se.lsoft.com.58679  bang.swox.se.smtp: S 
 678305700:678305700(0) win 8192 mss 1420,wscale 0,nop,nop,nop,timestamp 
 2317622600 0
 19:46:05.940205 IP bang.swox.se.smtp  vm.se.lsoft.com.58679: S 
 2664894402:2664894402(0) ack 678305701 win 57344 mss 1460,nop,wscale 
 0,nop,nop,timestamp 24589110 2317622600
 19:46:05.977251 IP vm.se.lsoft.com.58679  bang.swox.se.smtp: R 
 678305701:678305701(0) win 0
   
I know I'm late getting to this thread, but I hadn't seen anyone point
this out, so it may be of some help or just food for thought.  According
to the above trace, it basically looks like vm is broken either due to
hardware, software or a combination of the both.  I know nothing of
mainframes or the behavior of their TCP/IP stacks so it was very easy to
come to that knee-jerk conclusion.  
Then I started thinking (always a fruitless endeavor), why would a *BSD
based firewall/IP stack drop the corresponding SYN-ACK when it was
activated?  And that thought just fucking bugged me to no end.  I could
accept some crazy IBM IP stack not dealing with *BSD, but this was
*BSD box to *BSD box on the return path that dropped the packet. Also,
according to the original poster bang.swox.se has no problems
communicating with other systems and he has no problems communicating to
vm.se.lsoft.com.

 But smtp.swox.se is perfectly capable of
 accepting TCP connections from lots of machines out there, and the
 router leavs the SYNACKs alone except when vm is on the receiving end.

 Making tcp connections in the other direction (smtp.swox.se - vm)
 works flawlessly.
 

Now, I know this may sound a little weird, but that train of thought
(I use the term loosely) led me to this question.  What if vm never sent
the initial SYN?  A forged source address perhaps from the internal
network.  That would make what is shown in the trace above move in
clock-step.

client (forged) - SYN ISN 
host- SYN ISN (ACK ISN recvd + 1)
client (true)   - RST SN **

If the initial packet was forged then the RST from vm makes perfect
sense.  It would also explain why the Firewall would drop the SYN-ACK as
the packet would not correspond to an initiating SYN that the Firewall
could reference in it's state tables.  *I have never used pf so this
assumption may be incorrect.

** After looking through Stevens TCP/IP Illustrated I can find no
reference to what sequence number a RST packet should have if a SYN-ACK
precedes it.  I'm unsure whether the RST should ACK the SYN + 1, as a
SYN consumes a byte in normal operation, or return the ISN to the
sending host. But as sending a RST in response to a SYN-ACK is not
normal operation; such ambiguities would likely be left to the
programmers discretion.  In this case IBM not a stack derived from *BSD.

Then, alas, after much trouble and tole; I noticed that the TCP/IP
traces refer to different hosts.
vm.se.lsoft.com   smtp.swox.se
then
vm.se.lsoft.com   bang.swox.se

this now opens a whole new box of worms?!?!?



___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: TCP conection problems IBM VM - FreeBSD

2007-03-23 Thread Torbjorn Granlund
Chuck Swiger [EMAIL PROTECTED] writes:

  On Mar 22, 2007, at 12:00 PM, Torbjorn Granlund wrote:
 The second line should have been smtp.swox.se.smtp SYN+ACK'ing the
 ISN of 27523124.  vm is sending a RST to that because the sequence
 #'s don't match.  It's also odd that the set of options being
   listed
 don't correspond at all...if you run the tcpdump for several
   minutes,
 can you track down other SYN requests which do correspond?
  
   These are the ones the correspond.  They come in bursts like that.  If
   I let it run a little longer, I get output like this:
  
   19:45:56.939958 IP vm.se.lsoft.com.58679  bang.swox.se.smtp: S
   678305700:678305700(0) win 8192 mss 1420,wscale
   0,nop,nop,nop,timestamp 2317060084 0
   19:45:56.940154 IP bang.swox.se.smtp  vm.se.lsoft.com.58679: S
   3183232720:3183232720(0) ack 678305701 win 57344 mss
   1460,nop,wscale 0,nop,nop,timestamp 24588210 2317060084
  
  Notice the ACK from vm.se.lsoft.com is off by one, but the timestamp
  option corresponds.  Looks to be a bug with the vm machine, the bang
  machine is behaving properly per the TCP requirements.
  
Now you're confusing me.

(1) There is no ACK sent from vm.se.lsoft.com.  The only ACKs sent
are i  the other directions, as per the tcpdumps above.
(2) The ACKs are not off by one, or if you prefer, ACKs on TCP are
always off by one.  They are one higher than one would expect.

-- 
Torbjörn
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: TCP conection problems IBM VM - FreeBSD

2007-03-23 Thread Chuck Swiger

On Mar 23, 2007, at 10:16 AM, Torbjorn Granlund wrote:
These are the ones the correspond.  They come in bursts like  
that.  If

I let it run a little longer, I get output like this:

19:45:56.939958 IP vm.se.lsoft.com.58679  bang.swox.se.smtp: S
678305700:678305700(0) win 8192 mss 1420,wscale
0,nop,nop,nop,timestamp 2317060084 0
19:45:56.940154 IP bang.swox.se.smtp  vm.se.lsoft.com.58679: S
3183232720:3183232720(0) ack 678305701 win 57344 mss
1460,nop,wscale 0,nop,nop,timestamp 24588210 2317060084


  Notice the ACK from vm.se.lsoft.com is off by one, but the  
timestamp
  option corresponds.  Looks to be a bug with the vm machine, the  
bang

  machine is behaving properly per the TCP requirements.


Now you're confusing me.


It's not intentional.  I might be confusing us both.  :-)


(1) There is no ACK sent from vm.se.lsoft.com.  The only ACKs sent
are i  the other directions, as per the tcpdumps above.


Uh, yes.  I meant this packet:

  bang.swox.se.smtp  vm.se.lsoft.com.58679: S 3183232720:3183232720 
(0) ack 678305701



(2) The ACKs are not off by one, or if you prefer, ACKs on TCP are
always off by one.  They are one higher than one would expect.


You're right-- the SYN+ACK reply to a connection open (bare SYN)  
should reply with SEQ = ISS + 1 to acknowledge the SYN (which counts  
as a byte).


--
-Chuck

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: TCP conection problems IBM VM - FreeBSD

2007-03-22 Thread Chuck Swiger

On Mar 21, 2007, at 5:03 PM, Torbjorn Granlund wrote:

When vm attempts to make a TCP connection (e.g., on port 25) to
smtp.swox.se I see the following traffic on the router:

22:46:27.015389 IP vm.se.lsoft.com.47218  smtp.swox.se.smtp: S  
27523124:27523124(0) win 8192 mss 1420,wscale  
0,nop,nop,nop,timestamp 1888741492 0
22:46:27.015523 IP smtp.swox.se.smtp  vm.se.lsoft.com.47218: S  
1745147473:1745147473(0) ack 3530628660 win 57344 mss 1460
22:46:27.056277 IP vm.se.lsoft.com.47218  smtp.swox.se.smtp: R  
3530628660:3530628660(0) win 0


I.e., the vm box appears to dislike the SYNACK from smtp.swox.se, and
sends an RST.  One might ask if it is the fault of vm or of  
smtp.swox.se.


The second line should have been smtp.swox.se.smtp SYN+ACK'ing the  
ISN of 27523124.  vm is sending a RST to that because the sequence  
#'s don't match.  It's also odd that the set of options being listed  
don't correspond at all...if you run the tcpdump for several minutes,  
can you track down other SYN requests which do correspond?


Sometimes this kind of re-writing can happen if natd or PF is  
attempting to translate the packets, perhaps when they shouldn't if  
both sides of your router box are using routable IPs


--
-Chuck

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: TCP conection problems IBM VM - FreeBSD

2007-03-22 Thread Torbjorn Granlund
Chuck Swiger [EMAIL PROTECTED] writes:

  On Mar 21, 2007, at 5:03 PM, Torbjorn Granlund wrote:
When vm attempts to make a TCP connection (e.g., on port 25) to
smtp.swox.se I see the following traffic on the router:
   
22:46:27.015389 IP vm.se.lsoft.com.47218  smtp.swox.se.smtp: S 
27523124:27523124(0) win 8192 mss 1420,wscale 0,nop,nop,nop,timestamp 
1888741492 0
22:46:27.015523 IP smtp.swox.se.smtp  vm.se.lsoft.com.47218: S 
1745147473:1745147473(0) ack 3530628660 win 57344 mss 1460
22:46:27.056277 IP vm.se.lsoft.com.47218  smtp.swox.se.smtp: R 
3530628660:3530628660(0) win 0
  
I.e., the vm box appears to dislike the SYNACK from smtp.swox.se, and
sends an RST.  One might ask if it is the fault of vm or of  
smtp.swox.se.
  
  The second line should have been smtp.swox.se.smtp SYN+ACK'ing the  
  ISN of 27523124.  vm is sending a RST to that because the sequence  
  #'s don't match.  It's also odd that the set of options being listed  
  don't correspond at all...if you run the tcpdump for several minutes,  
  can you track down other SYN requests which do correspond?

These are the ones the correspond.  They come in bursts like that.  If
I let it run a little longer, I get output like this:
  
19:45:56.939958 IP vm.se.lsoft.com.58679  bang.swox.se.smtp: S 
678305700:678305700(0) win 8192 mss 1420,wscale 0,nop,nop,nop,timestamp 
2317060084 0
19:45:56.940154 IP bang.swox.se.smtp  vm.se.lsoft.com.58679: S 
3183232720:3183232720(0) ack 678305701 win 57344 mss 1460,nop,wscale 
0,nop,nop,timestamp 24588210 2317060084
19:45:56.974421 IP vm.se.lsoft.com.58679  bang.swox.se.smtp: R 
678305701:678305701(0) win 0
19:45:59.939737 IP vm.se.lsoft.com.58679  bang.swox.se.smtp: S 
678305700:678305700(0) win 8192 mss 1420,wscale 0,nop,nop,nop,timestamp 
2317247594 0
19:45:59.939905 IP bang.swox.se.smtp  vm.se.lsoft.com.58679: S 
1749284606:1749284606(0) ack 678305701 win 57344 mss 1460,nop,wscale 
0,nop,nop,timestamp 24588510 2317247594
19:45:59.978666 IP vm.se.lsoft.com.58679  bang.swox.se.smtp: R 
678305701:678305701(0) win 0
19:46:05.940041 IP vm.se.lsoft.com.58679  bang.swox.se.smtp: S 
678305700:678305700(0) win 8192 mss 1420,wscale 0,nop,nop,nop,timestamp 
2317622600 0
19:46:05.940205 IP bang.swox.se.smtp  vm.se.lsoft.com.58679: S 
2664894402:2664894402(0) ack 678305701 win 57344 mss 1460,nop,wscale 
0,nop,nop,timestamp 24589110 2317622600
19:46:05.977251 IP vm.se.lsoft.com.58679  bang.swox.se.smtp: R 
678305701:678305701(0) win 0
  
The ISN's don't match here either.

  Sometimes this kind of re-writing can happen if natd or PF is  
  attempting to translate the packets, perhaps when they shouldn't if  
  both sides of your router box are using routable IPs
  
I don't run natd at all, and to get the output above from tcpdump I
had disabled pf with pfctl -d.  With pf running, it silently drops the
2nd packet.  Could that too be related to ISN's?

The outside of the fbsd 6.2 router has two addresses, one routable and
one not routable.  This is due to the default setup my ISP is
providing: Their is a little net 192.168.0.0/30 between their router
and my fbsd 6.2 router.

(I have a routable address on the interface in order to allow pf's nat
to provide a sensible return address for the nat'ed packets.)

-- 
Torbjörn
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: TCP conection problems IBM VM - FreeBSD

2007-03-22 Thread Chuck Swiger

On Mar 22, 2007, at 12:00 PM, Torbjorn Granlund wrote:

  The second line should have been smtp.swox.se.smtp SYN+ACK'ing the
  ISN of 27523124.  vm is sending a RST to that because the sequence
  #'s don't match.  It's also odd that the set of options being  
listed
  don't correspond at all...if you run the tcpdump for several  
minutes,

  can you track down other SYN requests which do correspond?


These are the ones the correspond.  They come in bursts like that.  If
I let it run a little longer, I get output like this:

19:45:56.939958 IP vm.se.lsoft.com.58679  bang.swox.se.smtp: S  
678305700:678305700(0) win 8192 mss 1420,wscale  
0,nop,nop,nop,timestamp 2317060084 0
19:45:56.940154 IP bang.swox.se.smtp  vm.se.lsoft.com.58679: S  
3183232720:3183232720(0) ack 678305701 win 57344 mss  
1460,nop,wscale 0,nop,nop,timestamp 24588210 2317060084


Notice the ACK from vm.se.lsoft.com is off by one, but the timestamp  
option corresponds.  Looks to be a bug with the vm machine, the bang  
machine is behaving properly per the TCP requirements.


Hmm, I wonder if something in between is fragmenting the initial  
traffic and causing vm to get confused?  Try setting the interface  
MTUs down to 1024 or 512 and see whether that makes any difference...



  Sometimes this kind of re-writing can happen if natd or PF is
  attempting to translate the packets, perhaps when they shouldn't if
  both sides of your router box are using routable IPs


I don't run natd at all, and to get the output above from tcpdump I
had disabled pf with pfctl -d.  With pf running, it silently drops the
2nd packet.  Could that too be related to ISN's?


Yes, pf tracks connection state and will drop subsequent traffic  
which does match an legit connection or a new (permitted) connection  
open attempt.



The outside of the fbsd 6.2 router has two addresses, one routable and
one not routable.  This is due to the default setup my ISP is
providing: Their is a little net 192.168.0.0/30 between their router
and my fbsd 6.2 router.


OK.  That shouldn't matter then, if you're just doing straight  
routing via this /30, rather than re-writing the packets.


--
-Chuck

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]