[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

synproxy problems



Hello pf people!
I'm having a bit of trouble with rules using "synproxy state". I'm running the
latest i386 snapshot at the moment (May 10). I can't tell when synproxy stopped 
working, since I don't connect back to this machine very often. I just realized
yesterday that it didnt work as expected.
When using synproxy in the rules and connection to those ports, it seems as if
the three way handshake completes ok, but then nothing more. The included
tcpdump's will show you this. The connectin machine (130.240.202.203) is
running 3.5-stable, if that would matter.
You will be seeing the ip address "192.168.2.2" in the dumps. This is because 
the OpenBSD box sits behind a ADSL-bridge that speaks PPPoE and does a simple
form of nat (proxy arp perhaps?).
Thttpd is running on port 80, and it works perfectly when only using 
"keep state" instead of "synproxy state".
Would someone of you experts please hit me with a cluebat, since I really
don't know were to look anymore.
Big thanks in advance!
/Johan
with synproxy state:
------
18:49:46.866829 0:a0:c5:36:79:15 0:0:e:9c:b0:62 0800 78: 130.240.202.203.16876 > 192.168.2.2.80: S [tcp sum ok] 1377846560:1377846560(0) win 16384 <mss 1400,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 556263650 0> (DF) [tos 0x10] (ttl 51, id 26876)
18:49:46.866978 0:0:e:9c:b0:62 0:a0:c5:36:79:15 0800 58: 192.168.2.2.80 > 130.240.202.203.16876: S [tcp sum ok] 105315117:105315117(0) ack 1377846561 win 0 <mss 1414> (DF) [tos 0x10] (ttl 64, id 7089)
18:49:46.892013 0:a0:c5:36:79:15 0:0:e:9c:b0:62 0800 60: 130.240.202.203.16876 > 192.168.2.2.80: . [tcp sum ok] ack 1 win 16384 (DF) [tos 0x10] (ttl 51, id 8141)
18:50:07.368803 0:a0:c5:36:79:15 0:0:e:9c:b0:62 0800 60: 130.240.202.203.16876 > 192.168.2.2.80: . [tcp sum ok] 1:2(1) ack 1 win 16384 (DF) [tos 0x10] (ttl 51, id 62188)
18:50:12.368527 0:a0:c5:36:79:15 0:0:e:9c:b0:62 0800 60: 130.240.202.203.16876 > 192.168.2.2.80: . [tcp sum ok] 1:2(1) ack 1 win 16384 (DF) [tos 0x10] (ttl 51, id 24746)
18:50:17.367890 0:a0:c5:36:79:15 0:0:e:9c:b0:62 0800 60: 130.240.202.203.16876 > 192.168.2.2.80: . [tcp sum ok] 1:2(1) ack 1 win 16384 (DF) [tos 0x10] (ttl 51, id 58011)
18:50:25.367766 0:a0:c5:36:79:15 0:0:e:9c:b0:62 0800 60: 130.240.202.203.16876 > 192.168.2.2.80: . [tcp sum ok] 1:2(1) ack 1 win 16384 (DF) [tos 0x10] (ttl 51, id 41100)
18:50:25.367942 0:0:e:9c:b0:62 0:a0:c5:36:79:15 0800 54: 192.168.2.2.80 > 130.240.202.203.16876: R [tcp sum ok] 1:1(0) ack 2 win 0 (DF) [tos 0x10] (ttl 64, id 16877)
The telnet session I used on 130.240.202.203 just drops with
"Connection closed by foreign host." after this.
without synproxy state (with keep state):
------
18:50:11.053389 0:a0:c5:36:79:15 0:0:e:9c:b0:62 0800 78: 130.240.202.203.16135 > 192.168.2.2.80: S [tcp sum ok] 1134756442:1134756442(0) win 16384 <mss 1400,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 556263818 0> (DF) [tos 0x10] (ttl 51, id 31425)
18:50:11.053698 0:0:e:9c:b0:62 0:a0:c5:36:79:15 0800 78: 192.168.2.2.80 > 130.240.202.203.16135: S [tcp sum ok] 1294411693:1294411693(0) ack 1134756443 win 16384 <mss 1414,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 168666528 556263818> (DF) (ttl 64, id 17809)
18:50:11.080320 0:a0:c5:36:79:15 0:0:e:9c:b0:62 0800 66: 130.240.202.203.16135 > 192.168.2.2.80: . [tcp sum ok] ack 1 win 16384 <nop,nop,timestamp 556263818 168666528> (DF) [tos 0x10] (ttl 51, id 25548)
(Rest of the connection continues as assumed..)
This is the pf.conf I'm using:
------
# --- Macros ---
# interfaces
ext_if = "fxp0"
int_if = "xl1"
ip6_if = "gif0"
pfsync_if= "xl0"
# server ports
tcp_servers = "{ 22, 80, 113 }"
tcp6_servers = "{ 22, 80 }"
# flags/state
f_def = "flags S/SA keep state"
f_srv = "flags S/SA synproxy state"
#f_srv = "flags S/SA keep state"
# ---- Settings ----
set optimization aggressive
set block-policy return
set loginterface $ext_if
# ---- Tables ----
table <rfc1918> const { 10/8, 172.16/12, 192.168/16, !192.168.2.0/29 }
table <dns:chief.homeunix.net> persist { 127.0.0.1 }
# IP's allowed to ftp in
table <ftp-hosts> persist { 193.10.0.0/16 }
# ---- Scrub ----
# scrub all traffic
scrub on { $ext_if, $int_if } all reassemble tcp random-id 
# ---- ALTQ ----
altq on $ext_if cbq bandwidth 550Kb queue \
        { ext-q_pri, ext-q_default, ext-q_upload }
queue ext-q_pri     priority 7
queue ext-q_default priority 1 cbq(default)
queue ext-q_upload  priority 0 cbq(red) bandwidth 200Kb
# ---- NAT/rdr ----
nat on $ext_if inet from ($int_if:network) to any -> ($ext_if)
# redirect ftp sessions to ftp-proxy running on localhost
rdr on $int_if proto tcp from any to ! ($int_if) port 21 -> 127.0.0.1 port 8021
# ugly hack
rdr on $int_if proto tcp from any to <dns:chief.homeunix.net> port 80 \
                                                        -> 127.0.0.1
# default deny
block log all
# "In lo0 we trust."
pass quick on lo0 all
# antispoof
antispoof quick for { lo0, $ext_if, $int_if, $ip6_if }
# block outgoing packets that don't have our source address
block out log quick on $ext_if inet from ! ($ext_if)
# block in from rfc1918
block drop in log quick on $ext_if inet from <rfc1918>
# Internal NIC
pass in quick on $int_if proto tcp from { 10.0.0.6, 10.0.0.20 } \
                to ! ($int_if:network) $f_def tag "upload"
pass quick on $int_if all
# pfsync nic
pass quick on $pfsync_if proto pfsync
# ---- ICMP ----
# pass out/in certain ICMP queries (ping) and keep state
pass on $ext_if inet proto icmp all icmp-type 8 code 0 keep state queue q_pri
# ---- UDP ----
# pass out all UDP connections and keep state
pass out on $ext_if proto udp all keep state
# ---- TCP ----
# pass out all TCP connections and keep state
pass out on $ext_if proto tcp all $f_def queue (ext-q_default, ext-q_pri)
pass out on $ext_if proto tcp all \
                $f_def queue(ext-q_upload, ext-q_pri) tagged "upload"
# pass in certain TCP connections and keep state
pass in on $ext_if inet proto tcp from any to ($ext_if) \
                port $tcp_servers $f_srv
# pass in data mode connections for ftp-proxy running on this host.
pass in on $ext_if inet proto tcp from any to ($ext_if) \
                user proxy $f_srv
# ftp
pass in on $ext_if inet proto tcp from <ftp-hosts> to ($ext_if) \
                port { ftp, 65520:65534 } $f_srv
# ipv6
table <tunnelbroker> persist
pass in on $ext_if inet proto 41 from <tunnelbroker> to ($ext_if) \
                queue ext-q_pri
pass out on $ext_if inet proto 41 from ($ext_if) to <tunnelbroker> \
                queue ext-q_pri
block log on $ip6_if all
pass in on $ip6_if inet6 proto icmp6 all
pass in on $ip6_if inet6 proto tcp from any to ($int_if:network) \
                port $tcp6_servers $f_srv
pass out on $ip6_if inet6 proto { tcp, udp, icmp6 } to any $f_def
ifconfig of the relevant interfaces:
------
ext_if:
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1454
        address: 00:00:0e:9c:b0:62
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet 192.168.2.2 netmask 0xfffffffc broadcast 192.168.2.3
        inet6 fe80::200:eff:fe9c:b062%fxp0 prefixlen 64 scopeid 0x1
int_if:
xl1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
        address: 00:50:04:71:6e:18
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet 10.0.0.51 netmask 0xffffff00 broadcast 10.0.0.255
        inet6 fe80::250:4ff:fe71:6e18%xl1 prefixlen 64 scopeid 0x3
        inet6 2001:960:660::1 prefixlen 64
And ofcourse, a dmesg for Nick! ;)
------
OpenBSD 3.5-current (GENERIC) #77: Mon May 10 18:49:28 MDT 2004
    [email protected]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel Pentium II ("GenuineIntel" 686-class, 512KB L2 cache) 397 MHz
cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR
real mem  = 66695168 (65132K)
avail mem = 53587968 (52332K)
using 839 buffers containing 3436544 bytes (3356K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(af) BIOS, date 05/13/99, BIOS32 rev. 0 @ 0xfd781
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
pcibios0 at bios0: rev. 2.1 @ 0xfd190/0xf4ec0
pcibios0: PCI IRQ Routing Table rev. 1.0 @ 0xf76d0/144 (7 entries)
pcibios0: PCI Interrupt Router at 000:07:0 ("Intel 82371FB ISA" rev 0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc0000/0x8000 0xdc000/0x4000!
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 82443BX AGP" rev 0x02
ppb0 at pci0 dev 1 function 0 "Intel 82443BX AGP" rev 0x02
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 "ATI Rage Pro" rev 0x5c
wsdisplay0 at vga1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
pcib0 at pci0 dev 7 function 0 "Intel 82371AB PIIX4 ISA" rev 0x02
pciide0 at pci0 dev 7 function 1 "Intel 82371AB IDE" rev 0x01: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0: <FUJITSU MPC3043AT>
wd0: 16-sector PIO, LBA, 4125MB, 8448300 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: <NEC, CD-ROM DRIVE:282, 4.62> SCSI0 5/cdrom removable
cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
uhci0 at pci0 dev 7 function 2 "Intel 82371AB USB" rev 0x01: irq 7
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
"Intel 82371AB Power Mgmt" rev 0x02 at pci0 dev 7 function 3 not configured
fxp0 at pci0 dev 8 function 0 "Intel 82557" rev 0x05: irq 9, address 00:00:0e:9c:b0:62
inphy0 at fxp0 phy 1: i82555 10/100 media interface, rev. 0
xl0 at pci0 dev 18 function 0 "3Com 3c900 10Base-T" rev 0x00: irq 11 address 00:60:97:27:c3:25
xl1 at pci0 dev 20 function 0 "3Com 3c905B 100Base-TX" rev 0x30: irq 10 address 00:50:04:71:6e:18
exphy0 at xl1 phy 24: 3Com internal media interface
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: <PC speaker>
sysbeep0 at pcppi0
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom0: console
pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
isapnp0 at isa0 port 0x279: read port 0x203
wss1 at isapnp0 "CS4235, CSC0100, , WSS/SB" port 0x534/4,0x388/4,0x220/16 irq 5 drq 1,0: CS4236/CS4236B (vers 0)
audio0 at wss1
"CS4235, CSC010F, , Disabled" at isapnp0 not configured
"CS4235, CSC0110, , CTRL" at isapnp0 port 0x120/8 not configured
biomask c0c0 netmask cec0 ttymask cec2
pctr: 686-class user-level performance counters enabled
mtrr: Pentium Pro MTRR support
dkcsum: wd0 matched BIOS disk 80
root on wd0a
rootdev=0x0 rrootdev=0x300 rawdev=0x302