[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Public web server behind a PF bridge, crap clients



Is this the type of noise is being discussed, I have a web server at
139.142.191.68, that seems to be dropping connections that I thought
would otherwise go through.
here is some recent logging.
17:31:38.315742 rule 5/0(match): block out on xl0: 139.142.191.68.80 >
65.56.74.170.3211: F [tcp sum ok] 4249619931:4249619931(0) ack
3456767534 win 7504 (DF) (ttl 63, id 47058)
17:33:59.867858 rule 549/0(match): block in on xl0: 12.231.86.106.49950
> 139.142.191.68.80: R [tcp sum ok] 1878353266:1878353266(0) ack
203412586 win 33028 (DF) (ttl 49, id 7208)
17:34:09.856363 rule 549/0(match): block in on xl0: 12.231.86.106.49951
> 139.142.191.68.80: R [tcp sum ok] 606159467:606159467(0) ack 204835203
win 33028 (DF) (ttl 49, id 7233)
17:34:40.925859 rule 549/0(match): block in on xl0: 24.78.30.50.1078 >
139.142.191.68.80: F [tcp sum ok] 1287528:1287528(0) ack 244748148 win
7588 (DF) (ttl 121, id 39171)
17:34:40.949498 rule 549/0(match): block in on xl0: 24.78.30.50.1076 >
139.142.191.68.80: F [tcp sum ok] 1289146:1289146(0) ack 243739610 win
8760 (DF) (ttl 121, id 39683)
17:34:41.333518 rule 549/0(match): block in on xl0: 24.78.30.50.1076 >
139.142.191.68.80: F [tcp sum ok] 0:0(0) ack 1 win 8760 (DF) (ttl 121,
id 43267)
17:34:41.453557 rule 549/0(match): block in on xl0: 24.78.30.50.1078 >
139.142.191.68.80: F [tcp sum ok] 0:0(0) ack 1 win 7588 (DF) (ttl 121,
id 45827)
17:34:42.137286 rule 549/0(match): block in on xl0: 24.78.30.50.1076 >
139.142.191.68.80: F [tcp sum ok] 0:0(0) ack 1 win 8760 (DF) (ttl 121,
id 59139)
17:34:42.600329 rule 549/0(match): block in on xl0: 24.78.30.50.1078 >
139.142.191.68.80: F [tcp sum ok] 0:0(0) ack 1 win 7588 (DF) (ttl 121,
id 9220)
17:34:43.669058 rule 549/0(match): block in on xl0: 24.78.30.50.1076 >
139.142.191.68.80: F [tcp sum ok] 0:0(0) ack 1 win 8760 (DF) (ttl 121,
id 51204)
17:34:44.980386 rule 549/0(match): block in on xl0: 24.78.30.50.1078 >
139.142.191.68.80: F [tcp sum ok] 0:0(0) ack 1 win 7588 (DF) (ttl 121,
id 50181)
17:34:46.869533 rule 549/0(match): block in on xl0: 24.78.30.50.1076 >
139.142.191.68.80: F [tcp sum ok] 0:0(0) ack 1 win 8760 (DF) (ttl 121,
id 57094)
17:34:49.810700 rule 549/0(match): block in on xl0: 24.78.30.50.1078 >
139.142.191.68.80: F [tcp sum ok] 0:0(0) ack 1 win 7588 (DF) (ttl 121,
id 57350)
17:34:53.319875 rule 549/0(match): block in on xl0: 24.78.30.50.1076 >
139.142.191.68.80: F [tcp sum ok] 0:0(0) ack 1 win 8760 (DF) (ttl 121,
id 57606)
17:34:59.404190 rule 549/0(match): block in on xl0: 24.78.30.50.1078 >
139.142.191.68.80: F [tcp sum ok] 0:0(0) ack 1 win 7588 (DF) (ttl 121,
id 57862)
17:36:40.247455 rule 549/0(match): block in on xl0: 207.164.209.139.1455
> 139.142.191.68.80: P 132765070:132765471(401) ack 20945323 win 8139
(DF) (ttl 116, id 1024)
17:36:41.079532 rule 549/0(match): block in on xl0: 207.164.209.139.1455
> 139.142.191.68.80: P 0:401(401) ack 1 win 8139 (DF) (ttl 116, id
16426)
17:36:43.328381 rule 549/0(match): block in on xl0: 207.164.209.139.1455
> 139.142.191.68.80: P 0:401(401) ack 1 win 8139 (DF) (ttl 116, id
19754)
17:36:47.276316 rule 549/0(match): block in on xl0: 207.164.209.139.1455
> 139.142.191.68.80: P 0:401(401) ack 1 win 8139 (DF) (ttl 116, id
27178)
17:36:47.352720 rule 549/0(match): block in on xl0: 207.164.209.139.1457
> 139.142.191.68.80: P 132770149:132770634(485) ack 20003656 win 8160
(DF) (ttl 116, id 12800)
17:36:48.000275 rule 549/0(match): block in on xl0: 207.164.209.139.1456
> 139.142.191.68.80: P 132761803:132762226(423) ack 22659933 win 8369
(DF) (ttl 116, id 13568)
17:36:48.080719 rule 549/0(match): block in on xl0: 207.164.209.139.1454
> 139.142.191.68.80: P 132765165:132765583(418) ack 9944445 win 8164
(DF) (ttl 116, id 14848)
17:36:48.386764 rule 549/0(match): block in on xl0: 207.164.209.139.1454
> 139.142.191.68.80: P 0:418(418) ack 1 win 8164 (DF) (ttl 116, id
30762)
17:36:49.439206 rule 549/0(match): block in on xl0: 207.164.209.139.1454
> 139.142.191.68.80: P 0:418(418) ack 1 win 8164 (DF) (ttl 116, id
32042)
17:36:51.451057 rule 549/0(match): block in on xl0: 207.164.209.139.1454
> 139.142.191.68.80: P 0:418(418) ack 1 win 8164 (DF) (ttl 116, id
34090)
17:36:52.679065 rule 549/0(match): block in on xl0: 207.164.209.139.1457
> 139.142.191.68.80: P 0:485(485) ack 1 win 8160 (DF) (ttl 116, id
35882)
17:36:53.835190 rule 549/0(match): block in on xl0: 207.164.209.139.1456
> 139.142.191.68.80: P 0:423(423) ack 1 win 8369 (DF) (ttl 116, id
36650)
17:36:54.556659 rule 549/0(match): block in on xl0: 207.164.209.139.1454
> 139.142.191.68.80: P 0:418(418) ack 1 win 8164 (DF) (ttl 116, id
36906)
17:36:55.782727 rule 549/0(match): block in on xl0: 207.164.209.139.1455
> 139.142.191.68.80: P 0:401(401) ack 1 win 8139 (DF) (ttl 116, id
37162)
17:36:59.133844 rule 549/0(match): block in on xl0: 207.164.209.139.1457
> 139.142.191.68.80: P 0:485(485) ack 1 win 8160 (DF) (ttl 116, id
39722)
17:37:01.130125 rule 549/0(match): block in on xl0: 207.164.209.139.1454
> 139.142.191.68.80: P 0:418(418) ack 1 win 8164 (DF) (ttl 116, id
42026)
17:37:04.148708 rule 549/0(match): block in on xl0: 207.164.209.139.1456
> 139.142.191.68.80: P 0:423(423) ack 1 win 8369 (DF) (ttl 116, id
42282)
17:37:11.948126 rule 549/0(match): block in on xl0: 207.164.209.139.1457
> 139.142.191.68.80: P 0:485(485) ack 1 win 8160 (DF) (ttl 116, id
42538)
17:37:11.969121 rule 549/0(match): block in on xl0: 207.164.209.139.1455
> 139.142.191.68.80: P 0:401(401) ack 1 win 8139 (DF) (ttl 116, id
42794)
17:37:20.118228 rule 549/0(match): block in on xl0: 142.59.189.230.1108
> 139.142.191.68.80: F [tcp sum ok] 1814085:1814085(0) ack 444961852 win
8760 (DF) (ttl 121, id 19462)
17:37:20.119632 rule 549/0(match): block in on xl0: 142.59.189.230.1107
> 139.142.191.68.80: F [tcp sum ok] 1812854:1812854(0) ack 451685948 win
8760 (DF) (ttl 121, id 19718)
17:37:20.606270 rule 549/0(match): block in on xl0: 142.59.189.230.1107
> 139.142.191.68.80: F [tcp sum ok] 0:0(0) ack 1 win 8760 (DF) (ttl 121,
id 21510)
17:37:20.705762 rule 549/0(match): block in on xl0: 142.59.189.230.1108
> 139.142.191.68.80: F [tcp sum ok] 0:0(0) ack 1 win 8760 (DF) (ttl 121,
id 23558)
17:37:21.626632 rule 549/0(match): block in on xl0: 142.59.189.230.1107
> 139.142.191.68.80: F [tcp sum ok] 0:0(0) ack 1 win 8760 (DF) (ttl 121,
id 35334)
17:37:21.935129 rule 549/0(match): block in on xl0: 142.59.189.230.1108
> 139.142.191.68.80: F [tcp sum ok] 0:0(0) ack 1 win 8760 (DF) (ttl 121,
id 41222)
17:37:23.655036 rule 549/0(match): block in on xl0: 142.59.189.230.1107
> 139.142.191.68.80: F [tcp sum ok] 0:0(0) ack 1 win 8760 (DF) (ttl 121,
id 44806)
17:37:24.371124 rule 549/0(match): block in on xl0: 142.59.189.230.1108
> 139.142.191.68.80: F [tcp sum ok] 0:0(0) ack 1 win 8760 (DF) (ttl 121,
id 46598)
17:37:25.229268 rule 549/0(match): block in on xl0: 207.164.209.139.1456
> 139.142.191.68.80: P 0:423(423) ack 1 win 8369 (DF) (ttl 116, id
43306)
17:37:27.744634 rule 549/0(match): block in on xl0: 142.59.189.230.1107
> 139.142.191.68.80: F [tcp sum ok] 0:0(0) ack 1 win 8760 (DF) (ttl 121,
id 46854)
17:37:29.259406 rule 549/0(match): block in on xl0: 142.59.189.230.1108
> 139.142.191.68.80: F [tcp sum ok] 0:0(0) ack 1 win 8760 (DF) (ttl 121,
id 47110)
17:37:35.842642 rule 549/0(match): block in on xl0: 142.59.189.230.1107
> 139.142.191.68.80: F [tcp sum ok] 0:0(0) ack 1 win 8760 (DF) (ttl 121,
id 47878)
17:37:37.797346 rule 549/0(match): block in on xl0: 207.164.209.139.1457
> 139.142.191.68.80: P 0:485(485) ack 1 win 8160 (DF) (ttl 116, id
44330)
17:37:38.992107 rule 549/0(match): block in on xl0: 142.59.189.230.1108
> 139.142.191.68.80: F [tcp sum ok] 0:0(0) ack 1 win 8760 (DF) (ttl 121,
id 48134)
17:37:52.046609 rule 549/0(match): block in on xl0: 207.164.209.139.1460
> 139.142.191.68.80: P 133226352:133226745(393) ack 510922715 win 8533
(DF) (ttl 116, id 1536)
17:38:00.358248 rule 549/0(match): block in on xl0: 207.164.209.139.1460
> 139.142.191.68.80: P 0:517(517) ack 1 win 8533 (DF) (ttl 116, id
54314)
17:38:07.190542 rule 549/0(match): block in on xl0: 207.164.209.139.1456
> 139.142.191.68.80: P 0:423(423) ack 1 win 8369 (DF) (ttl 116, id
54570)
17:38:11.102201 rule 549/0(match): block in on xl0: 207.164.209.139.1460
> 139.142.191.68.80: P 0:517(517) ack 1 win 8533 (DF) (ttl 116, id
54826)
17:38:33.080809 rule 549/0(match): block in on xl0: 207.164.209.139.1460
> 139.142.191.68.80: P 0:517(517) ack 1 win 8533 (DF) (ttl 116, id
55594)
17:39:03.905254 rule 549/0(match): block in on xl0: 217.184.243.47.4310
> 139.142.191.64.80: S [tcp sum ok] 574634105:574634105(0) win 8760 <mss
1460,nop,nop,sackOK> (DF) (ttl 102, id 64132)
17:39:06.903277 rule 549/0(match): block in on xl0: 217.184.243.47.4310
> 139.142.191.64.80: S [tcp sum ok] 574634105:574634105(0) win 8760 <mss
1460,nop,nop,sackOK> (DF) (ttl 102, id 64294)
17:39:12.912041 rule 549/0(match): block in on xl0: 217.184.243.47.4310
> 139.142.191.64.80: S [tcp sum ok] 574634105:574634105(0) win 8760 <mss
1460,nop,nop,sackOK> (DF) (ttl 102, id 64616)
17:39:16.559294 rule 549/0(match): block in on xl0: 207.164.209.139.1460
> 139.142.191.68.80: P 0:517(517) ack 1 win 8533 (DF) (ttl 116, id
55850)
17:39:31.210189 rule 549/0(match): block in on xl0: 207.164.209.139.1456
> 139.142.191.68.80: P 0:423(423) ack 1 win 8369 (DF) (ttl 116, id
56106)
17:41:02.421460 rule 549/0(match): block in on xl0: 142.59.189.230.1113
> 139.142.191.68.80: F [tcp sum ok] 2018016:2018016(0) ack 648692546 win
8760 (DF) (ttl 121, id 35335)
17:41:02.422790 rule 549/0(match): block in on xl0: 142.59.189.230.1114
> 139.142.191.68.80: F [tcp sum ok] 2018212:2018212(0) ack 657945417 win
7794 (DF) (ttl 121, id 35591)
17:41:03.854386 rule 549/0(match): block in on xl0: 142.59.189.230.1113
> 139.142.191.68.80: F [tcp sum ok] 0:0(0) ack 1 win 8760 (DF) (ttl 121,
id 41735)
17:41:04.664153 rule 549/0(match): block in on xl0: 142.59.189.230.1114
> 139.142.191.68.80: F [tcp sum ok] 0:0(0) ack 1 win 7794 (DF) (ttl 121,
id 41991)
17:41:06.869182 rule 549/0(match): block in on xl0: 142.59.189.230.1113
> 139.142.191.68.80: F [tcp sum ok] 0:0(0) ack 1 win 8760 (DF) (ttl 121,
id 42247)
17:41:09.293517 rule 549/0(match): block in on xl0: 142.59.189.230.1114
> 139.142.191.68.80: F [tcp sum ok] 0:0(0) ack 1 win 7794 (DF) (ttl 121,
id 42503)
17:41:12.947688 rule 549/0(match): block in on xl0: 142.59.189.230.1113
> 139.142.191.68.80: F [tcp sum ok] 0:0(0) ack 1 win 8760 (DF) (ttl 121,
id 42759)
17:41:18.611714 rule 549/0(match): block in on xl0: 142.59.189.230.1114
> 139.142.191.68.80: F [tcp sum ok] 0:0(0) ack 1 win 7794 (DF) (ttl 121,
id 43015)
17:41:25.070355 rule 549/0(match): block in on xl0: 142.59.189.230.1113
> 139.142.191.68.80: F [tcp sum ok] 0:0(0) ack 1 win 8760 (DF) (ttl 121,
id 45063)
17:41:37.212367 rule 549/0(match): block in on xl0: 142.59.189.230.1114
> 139.142.191.68.80: F [tcp sum ok] 0:0(0) ack 1 win 7794 (DF) (ttl 121,
id 50951)
17:41:49.340018 rule 549/0(match): block in on xl0: 142.59.189.230.1113
> 139.142.191.68.80: F [tcp sum ok] 0:0(0) ack 1 win 8760 (DF) (ttl 121,
id 51719)
-----Original Message-----
From: [email protected] [mailto:[email protected]] On Behalf
Of Stephen Gutknecht (OBSD-PF)
Sent: Friday, December 06, 2002 5:11 PM
To: Daniel Hartmeier
Cc: [email protected]
Subject: RE: Public web server behind a PF bridge, crap clients
Hi Daniel,
Are the default timeout values documented somewhere.  If not, you post
them. The man pages for pf.conf show how to set them, but doesn't seem
to indicate the defaults.
On similar note:  does "set optimization" influence the timeouts, or is
it merely relaxing the state matching tolerance?
Thanks.
  Stephen
-----Original Message-----
From: Daniel Hartmeier [mailto:[email protected]] 
Sent: Friday, December 06, 2002 1:08 PM
Subject: Re: Public web server behind a PF bridge, crap clients
[snip]
In every case, either the state has
timed out already or the peer was re-using a port with a new initial
sequence number before the old state has timed out. You can compensate
both by adjusting the tcp state timeout values.