pf: BAD state: TCP...

Max Laier max at love2party.net
Wed Mar 29 10:07:24 PST 2006


On Wednesday 29 March 2006 19:23, David Beck wrote:
> Hello,
>
> I have problem with pf and didn't find any information that would help.
> Could you please advise on this? I wanted a simple thing, create a jail,
> and put a squid server into that. It didn't work as expected. Later I
> phased out squid and just wanted to open a TCP connection from the jail
> to the outside world. The interesting thing is that, 4 out of 10
> outgoing connection goes as expected and the rest blocks. Then I started
> to play with pf. My last attempt was that I increased the debug level,
> then I got these messages:
>
> Mar 29 19:16:15 w4 kernel: pf: State failure on: 1       | 5
> Mar 29 19:16:27 w4 kernel: pf: BAD state: TCP 10.4.0.127:2567
> OUTSIDE_IP:53042 HOST_TO_CONNECT_IP:80 [lo=2402333945 high=2402391289
> win=57344 modulator=0 wscale=0] [lo=875209420 high=875266764 win=57344
> modulator=0 wscale=0] 11:11 SA seq=1715691499 ack=2402333945 len=0
> ackskew=0 pkts=5:1 dir=in,rev
> Mar 29 19:16:27 w4 kernel: pf: State failure on: 1       | 5
> Mar 29 19:16:32 w4 kernel: pf: BAD state: TCP 10.4.0.127:2569
> OUTSIDE_IP:64910 HOST_TO_CONNECT_IP:80 [lo=516944989 high=517002333
> win=57344 modulator=0 wscale=0] [lo=3318903594 high=3318960938 win=57344
> modulator=0 wscale=0] 11:11 SA seq=2611208073 ack=516944989 len=0
> ackskew=0 pkts=3:1 dir=in,rev
> Mar 29 19:16:32 w4 kernel: pf: State failure on:   2     |   6
> Mar 29 19:16:35 w4 kernel: pf: BAD state: TCP 10.4.0.127:2569
> OUTSIDE_IP:64910 HOST_TO_CONNECT_IP:80 [lo=516944989 high=517002333
> win=57344 modulator=0 wscale=0] [lo=3318903594 high=3318960938 win=57344
> modulator=0 wscale=0] 11:11 SA seq=2611208073 ack=516944989 len=0
> ackskew=0 pkts=3:1 dir=in,rev
>
>
> I found the place in the source where these are generated, but that
> didn't help me. Any ideas?

You seem to be creating state too late.  Make sure that all stateful tcp rules 
are on the initial SYN (flags S/SA).

-- 
/"\  Best regards,                      | mlaier at xxxxxxxxxxx
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier at EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News
Attachment:
pgp00004.pgp
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pgp00004.pgp
Type: application/octet-stream
Size: 189 bytes
Desc: "Description: PGP signature"
URL: <http://lists.dragonflybsd.org/pipermail/kernel/attachments/20060329/90a42946/attachment-0015.obj>


More information about the Kernel mailing list