Project

General

Profile

Bug #863

floating rules breaks passive mode ftp

Added by Jesse Norell about 9 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
Rules / NAT
Target version:
-
Start date:
08/31/2010
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.0
Affected Architecture:

Description

I have a floating rule that allows port 21 traffic to an ftp server, and later on a catch-all floating rule to deny all other traffic to that server's subnet, both have "quick" option set. This causes the ftp proxy to break (the port 21 connection works, but passive mode connections are blocked). A similar rule configuration for inbound traffic on an interface works fine, just the floating rules have the problem.

packetcapture_3_.cap (3.39 KB) packetcapture_3_.cap Jesse Norell, 08/31/2010 01:34 PM

History

#1 Updated by Jesse Norell about 9 years ago

Sorry, this is on 2.0-BETA4 from Aug 30.

#2 Updated by Ermal Luçi about 9 years ago

Please show traces of traffic.
Provide either rules screenshots or the /tmp/rules.debug content.

And please also specify what ftp-proxy is?

#3 Updated by Jesse Norell about 9 years ago

Please show traces of traffic.

See attached pcap file. That is me connecting/logging in to the ftp server, issuing the "passive" command, then attempting a directory listing. In passive mode ftp, the ftp server tells the client what port to connect to to receive data (either file contents or in this case the directory listing), which was port 39898 in this case - the last two packets show my client trying to connect to port 39898 as the server instructed, but pfsense sent a RST instead of allowing the connection.

Provide either rules screenshots or the /tmp/rules.debug content.

This is the most reduced test case I can think of, and is from the rules in use at the time the attached packet capture was taken:

$ cat /tmp/rules.debug
#System aliases

loopback = "{ lo0 }" 
WAN = "{ re0 }" 
LAN = "{ re1 }" 

#SSH Lockout Table
table <sshlockout> persist
#Snort2C table
table <snort2c>

table <virusprot>

# User Aliases 

# Gateways
GWWANGW = " route-to ( re0 64.187.71.1 ) " 

set loginterface re0
set loginterface re1
set optimization normal
set limit states 97000

set skip on pfsync0

scrub in on $WAN all    fragment reassemble
scrub in on $LAN all    fragment reassemble

nat-anchor "natearly/*" 
nat-anchor "natrules/*" 

# Outbound NAT rules

# Load balancing anchor
rdr-anchor "relayd/*" 
# TFTP proxy
rdr-anchor "tftp-proxy/*" 
table <direct_networks> { 64.187.71.0/24 64.187.65.72/30 }
# UPnPd rdr anchor
rdr-anchor "miniupnpd" 

anchor "relayd/*" 
anchor "firewallrules" 
#---------------------------------------------------------------------------
# default deny rules
#---------------------------------------------------------------------------
block in log all label "Default deny rule" 
block out log all label "Default deny rule" 

# We use the mighty pf, we cannot be fooled.
block quick proto { tcp, udp } from any port = 0 to any
block quick proto { tcp, udp } from any to any port = 0

# Block all IPv6
block in quick inet6 all
block out quick inet6 all

# snort2c
block quick from <snort2c> to any label "Block snort2c hosts" 
block quick from any to <snort2c> label "Block snort2c hosts" 

# package manager early specific hook
anchor "packageearly" 

# carp
anchor "carp" 

# SSH lockout
block in log quick proto tcp from <sshlockout> to any port 22 label "sshlockout" 
block in quick from <virusprot> to any label "virusprot overload table" 
antispoof for re0
antispoof for re1
# allow access to DHCP server on LAN
anchor "dhcpserverLAN" 
pass in on $LAN proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server" 
pass in on $LAN proto udp from any port = 68 to 64.187.65.73 port = 67 label "allow access to DHCP server" 
pass out on $LAN proto udp from 64.187.65.73 port = 67 to any port = 68 label "allow access to DHCP server" 
anchor "spoofing" 

# loopback
anchor "loopback" 
pass in on $loopback all label "pass loopback" 
pass out on $loopback all label "pass loopback" 

anchor "firewallout" 
# let out anything from the firewall host itself and decrypted IPsec traffic
pass out all keep state allow-opts label "let out anything from firewall host itself" 
pass out route-to ( re0 64.187.71.1 ) from 64.187.71.4 to !64.187.71.0/24 keep state allow-opts label "let out anything from firewall host itself" 
# make sure the user cannot lock himself out of the webConfigurator or SSH
anchor "anti-lockout" 
pass in quick on re1 from any to (re1) keep state label "anti-lockout rule" 

# User-defined rules follow
pass  out  quick  on {  re1  } proto tcp  from any to 64.187.65.72/30 port 21  flags S/SA keep state  label "USER_RULE: Allow connections to FTP server" 
block return  out log  quick  on {  re1  } from any to any  label "USER_RULE: default reject all" 
pass  in  quick  on $WAN reply-to ( re0 64.187.71.1 )  from any to any keep state  label "USER_RULE" 
pass  in  quick  on $LAN  from 64.187.65.72/30 to any keep state  label "USER_RULE: Default allow LAN to any rule" 
# WANLAN Incominh array key does not exist for  label "USER_RULE" 
# WANLAN Incominh array key does not exist for  label "USER_RULE" 

# VPN Rules
# package manager late specific hook
anchor "packagelate" 

anchor "tftp-proxy/*" 

anchor "limitingesr" 

# uPnPd
anchor "miniupnpd" 

And please also specify what ftp-proxy is?

Perhaps "ftp helper" is more accurate. pfSense 1.2 had a user-space ftp proxy application to make the various ports/connections in the different ftp modes work, but a touted feature of 2.0 is "LIBALIAS based in-kernel FTP helper" .. from what I gather it "just works" now, with no configuration to do; and it does work for interface rules, just not floating rules.

#4 Updated by Ermal Luçi about 9 years ago

Can you show me an pfctl -vvss when this happens.
Seems the automatic handling might be creating the state wrongly for the data traffic.

#5 Updated by Jesse Norell about 9 years ago

This is pfctl -vvss output (note the data connection was 64.187.64.40:56329 -> 64.187.65.74:41768 this time):

$ pfctl -vvss
all icmp 64.187.71.4:27192 -> 64.187.71.1       0:0
   age 00:02:56, expires in 00:00:09, 173:172 pkts, 11072:11008 bytes
   id: 4c7d77bc00000000 creatorid: 7581b730
all udp 64.187.71.4:36250 -> 70.86.250.6:123       MULTIPLE:MULTIPLE
   age 00:02:41, expires in 00:00:00, 9:9 pkts, 684:684 bytes, rule 32
   id: 4c7d77bc00000011 creatorid: 02ecc9b1
all udp 64.187.71.4:55960 -> 67.18.187.111:123       MULTIPLE:MULTIPLE
   age 00:02:41, expires in 00:00:05, 9:9 pkts, 684:684 bytes, rule 32
   id: 4c7d77bc00000012 creatorid: 02ecc9b1
all tcp 64.187.65.73:443 <- 64.187.65.74:50924       FIN_WAIT_2:FIN_WAIT_2
   [2637432600 + 64128] wscale 3  [2306417932 + 66607] wscale 6
   age 00:02:40, expires in 00:00:00, 149:205 pkts, 13009:202847 bytes, rule 34
   id: 4c7d77bc00000013 creatorid: 02ecc9b1
all tcp 64.187.65.73:443 <- 64.187.65.74:50925       FIN_WAIT_2:FIN_WAIT_2
   [2999960964 + 64128] wscale 3  [2301946297 + 66607] wscale 6
   age 00:02:40, expires in 00:00:32, 140:205 pkts, 16141:162625 bytes, rule 34
   id: 4c7d77bc00000014 creatorid: 02ecc9b1
all tcp 64.187.65.73:443 <- 64.187.65.74:50927       FIN_WAIT_2:FIN_WAIT_2
   [328449356 + 62592] wscale 3  [2305667688 + 66607] wscale 6
   age 00:02:40, expires in 00:00:00, 81:112 pkts, 10770:77231 bytes, rule 34
   id: 4c7d77bc00000016 creatorid: 02ecc9b1
all tcp 64.187.65.73:443 <- 64.187.65.74:50928       FIN_WAIT_2:FIN_WAIT_2
   [1562102134 + 64128] wscale 3  [2313936231 + 66607] wscale 6
   age 00:02:40, expires in 00:00:00, 144:186 pkts, 14094:169815 bytes, rule 34
   id: 4c7d77bc00000017 creatorid: 02ecc9b1
all tcp 64.187.65.73:443 <- 64.187.65.74:34909       FIN_WAIT_2:FIN_WAIT_2
   [3475447758 + 48576] wscale 3  [3926143046 + 66607] wscale 6
   age 00:00:57, expires in 00:01:17, 39:51 pkts, 2760:64837 bytes, rule 34
   id: 4c7d77bc00000026 creatorid: 02ecc9b1
all udp 255.255.255.255:67 <- 0.0.0.0:68       NO_TRAFFIC:SINGLE
   age 00:00:56, expires in 00:00:12, 5:0 pkts, 1640:0 bytes, rule 23
   id: 4c7d77bc00000027 creatorid: 02ecc9b1
all tcp 64.187.65.74:21 <- 64.187.64.40:52913       ESTABLISHED:ESTABLISHED
   [163893870 + 6912] wscale 6  [2567153661 + 5824] wscale 6
   age 00:00:23, expires in 23:59:55, 14:14 pkts, 768:1675 bytes, rule 37
   id: 4c7d77bc00000028 creatorid: 02ecc9b1
all tcp 64.187.64.40:52913 -> 64.187.65.74:21       ESTABLISHED:ESTABLISHED
   [2567153661 + 5824] wscale 6  [163893870 + 6912] wscale 6
   age 00:00:23, expires in 23:59:55, 14:14 pkts, 768:1675 bytes, rule 35
   id: 4c7d77bc00000029 creatorid: 02ecc9b1
all udp 64.187.64.4:53 <- 64.187.65.74:48937       SINGLE:MULTIPLE
   age 00:00:23, expires in 00:00:07, 1:1 pkts, 71:165 bytes, rule 38
   id: 4c7d77bc0000002a creatorid: 02ecc9b1
all udp 64.187.65.74:48937 -> 64.187.64.4:53       MULTIPLE:SINGLE
   age 00:00:23, expires in 00:00:07, 1:1 pkts, 71:165 bytes, rule 31
   id: 4c7d77bc0000002b creatorid: 02ecc9b1
all udp 64.187.64.4:53 <- 64.187.65.74:53085       SINGLE:MULTIPLE
   age 00:00:23, expires in 00:00:07, 1:1 pkts, 58:142 bytes, rule 38
   id: 4c7d77bc0000002c creatorid: 02ecc9b1
all udp 64.187.65.74:53085 -> 64.187.64.4:53       MULTIPLE:SINGLE
   age 00:00:23, expires in 00:00:07, 1:1 pkts, 58:142 bytes, rule 31
   id: 4c7d77bc0000002d creatorid: 02ecc9b1
all udp 255.255.255.255:68 <- 64.187.71.4:67       NO_TRAFFIC:SINGLE
   age 00:00:14, expires in 00:00:16, 2:0 pkts, 656:0 bytes, rule 37
   id: 4c7d77bc0000002e creatorid: 02ecc9b1
all tcp 64.187.64.40:41768 -> 64.187.65.74       LISTEN:LISTEN
   [0 + 0]  [0 + 0]
   age 00:00:05, expires in 00:01:55, 0:0 pkts, 0:0 bytes, rule 35
   id: 4c7d77bc0000002f creatorid: 02ecc9b1
all tcp 64.187.65.74:41768 <- 64.187.64.40:56329       CLOSED:SYN_SENT
   [0 + 0]  [3274366635 + 2]
   age 00:00:05, expires in 00:01:55, 1:0 pkts, 60:0 bytes, rule 37
   id: 4c7d77bc00000030 creatorid: 02ecc9b1
all udp 255.255.255.255:68 <- 192.168.19.1:67       NO_TRAFFIC:SINGLE
   age 00:00:04, expires in 00:00:56, 1:0 pkts, 328:0 bytes, rule 37
   id: 4c7d77bc00000031 creatorid: 02ecc9b1
all tcp 64.187.65.73:443 <- 64.187.65.74:34910       ESTABLISHED:ESTABLISHED
   [3953796794 + 6470] wscale 3  [520588873 + 66608] wscale 6
   age 00:00:01, expires in 24:00:00, 5:5 pkts, 1824:864 bytes, rule 34
   id: 4c7d77bc00000032 creatorid: 02ecc9b1

#6 Updated by Jesse Norell about 9 years ago

I'm not familiar with exactly what that output is, but it looks like this:

all tcp 64.187.64.40:41768 -> 64.187.65.74       LISTEN:LISTEN
   [0 + 0]  [0 + 0]
   age 00:00:05, expires in 00:01:55, 0:0 pkts, 0:0 bytes, rule 35
   id: 4c7d77bc0000002f creatorid: 02ecc9b1

May be what's wrong - it should be listening for any port on the client (64.187.64.40), going to dst port 41768 on the server (64.187.65.74). Ie. just like what happened in this closed connection:

all tcp 64.187.65.74:41768 <- 64.187.64.40:56329       CLOSED:SYN_SENT
   [0 + 0]  [3274366635 + 2]
   age 00:00:05, expires in 00:01:55, 1:0 pkts, 60:0 bytes, rule 37
   id: 4c7d77bc00000030 creatorid: 02ecc9b1

I'll note the floating rule was set on the "out" direction of the LAN interface, maybe something is tripped up because of that?

#7 Updated by Ermal Luçi about 9 years ago

  • Status changed from New to Feedback

Test with the latest snapshot.

#8 Updated by Jesse Norell about 9 years ago

Tested with:

2.0-BETA4 (i386)
built on Wed Sep 1 11:07:08 EDT 2010
FreeBSD 8.1-RELEASE

And has the same problem; pfctl output (port 52220 was the passive connection attempt) is:

$ pfctl -vvss
all icmp 64.187.71.4:41782 -> 64.187.71.1       0:0
   age 00:01:21, expires in 00:00:10, 82:80 pkts, 5248:5120 bytes
   id: 4c7ecae000000000 creatorid: 3dc26165
all tcp 127.0.0.1:56899 -> 127.0.0.1:443       FIN_WAIT_2:FIN_WAIT_2
   [392395085 + 71679] wscale 3  [1209201555 + 71680] wscale 3
   age 00:01:20, expires in 00:00:11, 141:140 pkts, 8423:24464 bytes
   id: 4c7ecae000000001 creatorid: 3dc26165
all tcp 127.0.0.1:443 <- 127.0.0.1:56899       FIN_WAIT_2:FIN_WAIT_2
   [1209201555 + 71680] wscale 3  [392395085 + 71679] wscale 3
   age 00:01:20, expires in 00:00:11, 141:140 pkts, 8423:24464 bytes
   id: 4c7ecae000000002 creatorid: 3dc26165
all tcp 64.187.65.73:443 <- 64.187.65.74:33647       ESTABLISHED:ESTABLISHED
   [603715598 + 44998] wscale 3  [2179479804 + 66608] wscale 6
   age 00:01:10, expires in 24:00:00, 193:1037 pkts, 16854:213592 bytes, rule 34
   id: 4c7ecae000000014 creatorid: ead363b1
all udp 64.187.71.4:14507 -> 169.229.70.95:123       MULTIPLE:MULTIPLE
   age 00:01:09, expires in 00:00:31, 7:7 pkts, 532:532 bytes, rule 32
   id: 4c7ecae000000017 creatorid: ead363b1
all udp 64.187.71.4:26291 -> 65.18.173.237:123       MULTIPLE:MULTIPLE
   age 00:01:09, expires in 00:00:34, 7:7 pkts, 532:532 bytes, rule 32
   id: 4c7ecae000000019 creatorid: ead363b1
all tcp 64.187.71.4:22135 -> 69.64.6.6:80       FIN_WAIT_2:FIN_WAIT_2
   [3904347340 + 66608] wscale 3  [772943292 + 66607] wscale 3
   age 00:01:05, expires in 00:00:25, 6:4 pkts, 435:548 bytes, rule 32
   id: 4c7ecae00000001c creatorid: ead363b1
all tcp 64.187.65.74:21 <- 64.187.64.40:42382       ESTABLISHED:ESTABLISHED
   [2888768655 + 6912] wscale 6  [1429839149 + 5824] wscale 6
   age 00:00:24, expires in 23:59:44, 19:18 pkts, 1062:2013 bytes, rule 37
   id: 4c7ecae00000001d creatorid: ead363b1
all tcp 64.187.64.40:42382 -> 64.187.65.74:21       ESTABLISHED:ESTABLISHED
   [1429839149 + 5824] wscale 6  [2888768655 + 6912] wscale 6
   age 00:00:24, expires in 23:59:44, 19:18 pkts, 1062:2013 bytes, rule 35
   id: 4c7ecae00000001e creatorid: ead363b1
all udp 64.187.64.4:53 <- 64.187.65.74:58189       SINGLE:MULTIPLE
   age 00:00:24, expires in 00:00:06, 1:1 pkts, 71:165 bytes, rule 38
   id: 4c7ecae00000001f creatorid: ead363b1
all udp 64.187.65.74:58189 -> 64.187.64.4:53       MULTIPLE:SINGLE
   age 00:00:24, expires in 00:00:06, 1:1 pkts, 71:165 bytes, rule 31
   id: 4c7ecae000000020 creatorid: ead363b1
all udp 64.187.64.4:53 <- 64.187.65.74:46982       SINGLE:MULTIPLE
   age 00:00:24, expires in 00:00:06, 1:1 pkts, 58:142 bytes, rule 38
   id: 4c7ecae000000021 creatorid: ead363b1
all udp 64.187.65.74:46982 -> 64.187.64.4:53       MULTIPLE:SINGLE
   age 00:00:24, expires in 00:00:06, 1:1 pkts, 58:142 bytes, rule 31
   id: 4c7ecae000000022 creatorid: ead363b1
all tcp 64.187.64.40 -> 64.187.65.74:53237 -> 64.187.65.74:53237       LISTEN:LISTEN
   [0 + 0]  [0 + 0]
   age 00:00:19, expires in 00:01:41, 0:0 pkts, 0:0 bytes, rule 37
   id: 4c7ecae000000023 creatorid: ead363b1
all tcp 64.187.65.74 <- 64.187.64.40:53237 <- 64.187.64.40:53237       LISTEN:LISTEN
   [0 + 0]  [0 + 0]
   age 00:00:19, expires in 00:01:41, 0:0 pkts, 0:0 bytes, rule 35
   id: 4c7ecae000000024 creatorid: ead363b1
all tcp 64.187.64.40:53237 <- 64.187.65.74:20       FIN_WAIT_2:FIN_WAIT_2
   [2215058851 + 5888] wscale 6  [2975066593 + 5824] wscale 6
   age 00:00:19, expires in 00:01:11, 5:3 pkts, 336:164 bytes, rule 38
   id: 4c7ecae000000025 creatorid: ead363b1
all tcp 64.187.65.74:20 -> 64.187.64.40:53237       FIN_WAIT_2:FIN_WAIT_2
   [2975066593 + 5824] wscale 6  [2215058851 + 5888] wscale 6
   age 00:00:19, expires in 00:01:11, 5:3 pkts, 336:164 bytes, rule 31
   id: 4c7ecae000000026 creatorid: ead363b1
all udp 64.187.64.4:53 <- 64.187.65.74:54708       SINGLE:MULTIPLE
   age 00:00:19, expires in 00:00:11, 1:1 pkts, 71:165 bytes, rule 38
   id: 4c7ecae000000027 creatorid: ead363b1
all udp 64.187.65.74:54708 -> 64.187.64.4:53       MULTIPLE:SINGLE
   age 00:00:19, expires in 00:00:11, 1:1 pkts, 71:165 bytes, rule 31
   id: 4c7ecae000000028 creatorid: ead363b1
all udp 64.187.64.4:53 <- 64.187.65.74:57624       SINGLE:MULTIPLE
   age 00:00:19, expires in 00:00:11, 1:1 pkts, 58:142 bytes, rule 38
   id: 4c7ecae000000029 creatorid: ead363b1
all udp 64.187.65.74:57624 -> 64.187.64.4:53       MULTIPLE:SINGLE
   age 00:00:19, expires in 00:00:11, 1:1 pkts, 58:142 bytes, rule 31
   id: 4c7ecae00000002a creatorid: ead363b1
all udp 255.255.255.255:68 <- 64.187.71.4:67       NO_TRAFFIC:SINGLE
   age 00:00:17, expires in 00:00:29, 3:0 pkts, 984:0 bytes, rule 37
   id: 4c7ecae00000002b creatorid: ead363b1
all tcp 64.187.64.40:52220 -> 64.187.65.74       LISTEN:LISTEN
   [0 + 0]  [0 + 0]
   age 00:00:16, expires in 00:01:44, 0:0 pkts, 0:0 bytes, rule 35
   id: 4c7ecae00000002c creatorid: ead363b1
all tcp 64.187.65.74:52220 <- 64.187.64.40:59514       CLOSED:SYN_SENT
   [0 + 0]  [1103004965 + 2]
   age 00:00:16, expires in 00:01:44, 1:0 pkts, 60:0 bytes, rule 37
   id: 4c7ecae00000002d creatorid: ead363b1
all igmp 224.0.0.1 <- 64.187.71.182       NO_TRAFFIC:SINGLE
   age 00:00:00, expires in 00:01:00, 1:0 pkts, 28:0 bytes, rule 37
   id: 4c7ecae00000002e creatorid: ead363b1

#9 Updated by Ermal Luçi about 9 years ago

Again with newer snapshot please.

#10 Updated by Jesse Norell about 9 years ago

Testing with:

2.0-BETA4 (i386)
built on Mon Sep 6 22:04:59 EDT 2010
FreeBSD 8.1-RELEASE

It still doesn't work, but this output looks a little different (port 45132 was the passive connection attempt):

$ pfctl -vvss
all icmp 64.187.71.5:43321 -> 64.187.71.1       0:0
   age 00:03:55, expires in 00:00:09, 233:232 pkts, 14912:14848 bytes
   id: 4c866c7900000000 creatorid: af1446cf
all tcp 64.187.65.73:80 <- 64.187.65.74:54047       ESTABLISHED:ESTABLISHED
   [1670440525 + 64128] wscale 3  [240482193 + 66608] wscale 6
   age 00:03:36, expires in 24:00:00, 122:143 pkts, 13500:101629 bytes, rule 30
   id: 4c866c790000000e creatorid: 0745b67e
all tcp 64.187.65.73:80 <- 64.187.65.74:54048       ESTABLISHED:ESTABLISHED
   [3786568118 + 44608] wscale 3  [240816435 + 66608] wscale 6
   age 00:03:35, expires in 23:59:55, 39:38 pkts, 8549:11410 bytes, rule 30
   id: 4c866c790000000f creatorid: 0745b67e
all tcp 64.187.64.17:22 <- 64.187.65.74:39023       ESTABLISHED:ESTABLISHED
   [491294868 + 10560] wscale 3  [485107982 + 12128] wscale 6
   age 00:03:20, expires in 23:59:45, 21:23 pkts, 2988:2940 bytes, rule 34
   id: 4c866c7900000015 creatorid: 0745b67e
all tcp 64.187.65.74:39023 -> 64.187.64.17:22       ESTABLISHED:ESTABLISHED
   [485107982 + 12128] wscale 6  [491294868 + 10560] wscale 3
   age 00:03:20, expires in 23:59:45, 21:23 pkts, 2988:2940 bytes, rule 27
   id: 4c866c7900000016 creatorid: 0745b67e
all tcp 64.187.65.74:57000 -> 208.67.216.142:443       TIME_WAIT:TIME_WAIT
   [1604535991 + 66570] wscale 6  [2142832574 + 57088] wscale 3
   age 00:02:09, expires in 00:00:00, 34:25 pkts, 7064:15315 bytes, rule 27
   id: 4c866c7900000059 creatorid: 0745b67e
all tcp 208.67.216.142:443 <- 64.187.65.74:57001       TIME_WAIT:TIME_WAIT
   [2853920501 + 42176] wscale 3  [1600863429 + 66570] wscale 6
   age 00:02:09, expires in 00:00:00, 31:22 pkts, 6940:9214 bytes, rule 34
   id: 4c866c790000005a creatorid: 0745b67e
all tcp 64.187.65.74:57001 -> 208.67.216.142:443       TIME_WAIT:TIME_WAIT
   [1600863429 + 66570] wscale 6  [2853920501 + 42176] wscale 3
   age 00:02:09, expires in 00:00:00, 31:22 pkts, 6940:9214 bytes, rule 27
   id: 4c866c790000005b creatorid: 0745b67e
all tcp 72.233.44.61:80 <- 64.187.65.74:42101       FIN_WAIT_2:FIN_WAIT_2
   [2990036220 + 34816] wscale 9  [1623044115 + 16896] wscale 6
   age 00:02:07, expires in 00:00:21, 23:15 pkts, 6495:4688 bytes, rule 34
   id: 4c866c790000006e creatorid: 0745b67e
all tcp 64.187.65.74:42101 -> 72.233.44.61:80       FIN_WAIT_2:FIN_WAIT_2
   [1623044115 + 16896] wscale 6  [2990036220 + 34816] wscale 9
   age 00:02:07, expires in 00:00:21, 23:15 pkts, 6495:4688 bytes, rule 27
   id: 4c866c790000006f creatorid: 0745b67e
all tcp 72.233.44.61:80 <- 64.187.65.74:42102       FIN_WAIT_2:FIN_WAIT_2
   [3537404028 + 31936] wscale 9  [1636518306 + 15872] wscale 6
   age 00:02:07, expires in 00:00:06, 21:14 pkts, 5847:4364 bytes, rule 34
   id: 4c866c7900000070 creatorid: 0745b67e
all tcp 64.187.65.74:42102 -> 72.233.44.61:80       FIN_WAIT_2:FIN_WAIT_2
   [1636518306 + 15872] wscale 6  [3537404028 + 31936] wscale 9
   age 00:02:07, expires in 00:00:06, 21:14 pkts, 5847:4364 bytes, rule 27
   id: 4c866c7900000071 creatorid: 0745b67e
all tcp 72.233.44.61:80 <- 64.187.65.74:42103       FIN_WAIT_2:FIN_WAIT_2
   [2523849067 + 28288] wscale 9  [1634695580 + 15872] wscale 6
   age 00:02:07, expires in 00:00:21, 21:17 pkts, 5808:5839 bytes, rule 34
   id: 4c866c7900000072 creatorid: 0745b67e
all tcp 64.187.65.74:42103 -> 72.233.44.61:80       FIN_WAIT_2:FIN_WAIT_2
   [1634695580 + 15872] wscale 6  [2523849067 + 28288] wscale 9
   age 00:02:07, expires in 00:00:21, 21:17 pkts, 5808:5839 bytes, rule 27
   id: 4c866c7900000073 creatorid: 0745b67e
all tcp 72.233.44.61:80 <- 64.187.65.74:42104       FIN_WAIT_2:FIN_WAIT_2
   [3919777058 + 31936] wscale 9  [1636825586 + 15872] wscale 6
   age 00:02:07, expires in 00:00:06, 22:15 pkts, 5849:5734 bytes, rule 34
   id: 4c866c7900000074 creatorid: 0745b67e
all tcp 64.187.65.74:42104 -> 72.233.44.61:80       FIN_WAIT_2:FIN_WAIT_2
   [1636825586 + 15872] wscale 6  [3919777058 + 31936] wscale 9
   age 00:02:07, expires in 00:00:06, 22:15 pkts, 5849:5734 bytes, rule 27
   id: 4c866c7900000075 creatorid: 0745b67e
all tcp 72.233.44.61:80 <- 64.187.65.74:42105       FIN_WAIT_2:FIN_WAIT_2
   [3754521725 + 22976] wscale 9  [1639416829 + 12288] wscale 6
   age 00:02:07, expires in 00:00:06, 16:11 pkts, 4038:3299 bytes, rule 34
   id: 4c866c7900000076 creatorid: 0745b67e
all tcp 64.187.65.74:42105 -> 72.233.44.61:80       FIN_WAIT_2:FIN_WAIT_2
   [1639416829 + 12288] wscale 6  [3754521725 + 22976] wscale 9
   age 00:02:07, expires in 00:00:06, 16:11 pkts, 4038:3299 bytes, rule 27
   id: 4c866c7900000077 creatorid: 0745b67e
all tcp 72.233.44.61:80 <- 64.187.65.74:42106       FIN_WAIT_2:FIN_WAIT_2
   [2703743372 + 31936] wscale 9  [1626880173 + 15872] wscale 6
   age 00:02:07, expires in 00:00:21, 22:16 pkts, 5860:5774 bytes, rule 34
   id: 4c866c7900000078 creatorid: 0745b67e
all tcp 64.187.65.74:42106 -> 72.233.44.61:80       FIN_WAIT_2:FIN_WAIT_2
   [1626880173 + 15872] wscale 6  [2703743372 + 31936] wscale 9
   age 00:02:07, expires in 00:00:21, 22:16 pkts, 5860:5774 bytes, rule 27
   id: 4c866c7900000079 creatorid: 0745b67e
all tcp 209.85.225.139:80 <- 64.187.65.74:57582       ESTABLISHED:ESTABLISHED
   [579123601 + 8768] wscale 6  [2523764321 + 8064] wscale 6
   age 00:01:10, expires in 23:58:50, 4:3 pkts, 1412:1151 bytes, rule 34
   id: 4c866c7900000091 creatorid: 0745b67e
all tcp 64.187.65.74:57582 -> 209.85.225.139:80       ESTABLISHED:ESTABLISHED
   [2523764321 + 8064] wscale 6  [579123601 + 8768] wscale 6
   age 00:01:10, expires in 23:58:50, 4:3 pkts, 1412:1151 bytes, rule 27
   id: 4c866c7900000092 creatorid: 0745b67e
all igmp 224.0.0.1 <- 64.187.71.182       NO_TRAFFIC:SINGLE
   age 00:01:03, expires in 00:00:00, 1:0 pkts, 28:0 bytes, rule 33
   id: 4c866c7900000093 creatorid: 0745b67e
all udp 255.255.255.255:68 <- 64.187.71.4:67       NO_TRAFFIC:SINGLE
   age 00:01:02, expires in 00:00:00, 1:0 pkts, 328:0 bytes, rule 33
   id: 4c866c7900000094 creatorid: 0745b67e
all tcp 64.187.65.74:21 <- 64.187.64.40:32940       ESTABLISHED:ESTABLISHED
   [3086052795 + 6912] wscale 6  [57851658 + 5824] wscale 6
   age 00:00:35, expires in 23:59:31, 19:20 pkts, 1062:2116 bytes, rule 33
   id: 4c866c7900000095 creatorid: 0745b67e
all tcp 64.187.64.40:32940 -> 64.187.65.74:21       ESTABLISHED:ESTABLISHED
   [57851658 + 5824] wscale 6  [3086052795 + 6912] wscale 6
   age 00:00:35, expires in 23:59:31, 19:20 pkts, 1062:2116 bytes, rule 31
   id: 4c866c7900000096 creatorid: 0745b67e
all tcp 64.187.64.40 -> 64.187.65.74:53367 -> 64.187.65.74:53367       LISTEN:LISTEN
   [0 + 0]  [0 + 0]
   age 00:00:32, expires in 00:01:28, 0:0 pkts, 0:0 bytes, rule 33
   id: 4c866c790000009b creatorid: 0745b67e
all tcp 64.187.65.74:53367 <- 64.187.64.40:53367 <- 64.187.64.40       LISTEN:LISTEN
   [0 + 0]  [0 + 0]
   age 00:00:32, expires in 00:01:28, 0:0 pkts, 0:0 bytes, rule 31
   id: 4c866c790000009c creatorid: 0745b67e
all tcp 64.187.64.40:53367 <- 64.187.65.74:20       FIN_WAIT_2:FIN_WAIT_2
   [3106962232 + 5888] wscale 6  [3137179148 + 5824] wscale 6
   age 00:00:32, expires in 00:00:58, 5:3 pkts, 336:164 bytes, rule 34
   id: 4c866c790000009d creatorid: 0745b67e
all tcp 64.187.65.74:20 -> 64.187.64.40:53367       FIN_WAIT_2:FIN_WAIT_2
   [3137179148 + 5824] wscale 6  [3106962232 + 5888] wscale 6
   age 00:00:32, expires in 00:00:58, 5:3 pkts, 336:164 bytes, rule 27
   id: 4c866c790000009e creatorid: 0745b67e
all udp 64.187.64.4:53 <- 64.187.65.74:54392       SINGLE:MULTIPLE
   age 00:00:32, expires in 00:00:00, 1:1 pkts, 71:165 bytes, rule 34
   id: 4c866c790000009f creatorid: 0745b67e
all udp 64.187.65.74:54392 -> 64.187.64.4:53       MULTIPLE:SINGLE
   age 00:00:32, expires in 00:00:00, 1:1 pkts, 71:165 bytes, rule 27
   id: 4c866c79000000a0 creatorid: 0745b67e
all udp 64.187.64.4:53 <- 64.187.65.74:59026       SINGLE:MULTIPLE
   age 00:00:32, expires in 00:00:00, 1:1 pkts, 58:142 bytes, rule 34
   id: 4c866c79000000a1 creatorid: 0745b67e
all udp 64.187.65.74:59026 -> 64.187.64.4:53       MULTIPLE:SINGLE
   age 00:00:32, expires in 00:00:00, 1:1 pkts, 58:142 bytes, rule 27
   id: 4c866c79000000a2 creatorid: 0745b67e
all tcp 64.187.64.40:45132 -> 64.187.65.74       LISTEN:LISTEN
   [0 + 0]  [0 + 0]
   age 00:00:29, expires in 00:01:31, 0:0 pkts, 0:0 bytes, rule 31
   id: 4c866c79000000a3 creatorid: 0745b67e
all tcp 64.187.65.74 <- 64.187.65.74:45132 <- 64.187.64.40:45132       LISTEN:LISTEN
   [0 + 0]  [0 + 0]
   age 00:00:29, expires in 00:01:31, 0:0 pkts, 0:0 bytes, rule 33
   id: 4c866c79000000a4 creatorid: 0745b67e
all tcp 64.187.65.74:45132 <- 64.187.64.40:46770       CLOSED:SYN_SENT
   [0 + 1]  [3497388019 + 2]
   age 00:00:29, expires in 00:01:31, 1:0 pkts, 60:0 bytes, rule 33
   id: 4c866c79000000a5 creatorid: 0745b67e
all udp 64.187.64.4:53 <- 64.187.65.74:41235       SINGLE:MULTIPLE
   age 00:00:02, expires in 00:00:28, 1:1 pkts, 75:160 bytes, rule 34
   id: 4c866c79000000a6 creatorid: 0745b67e
all udp 64.187.65.74:41235 -> 64.187.64.4:53       MULTIPLE:SINGLE
   age 00:00:02, expires in 00:00:28, 1:1 pkts, 75:160 bytes, rule 27
   id: 4c866c79000000a7 creatorid: 0745b67e
all udp 64.187.64.4:53 <- 64.187.65.74:49660       SINGLE:MULTIPLE
   age 00:00:02, expires in 00:00:28, 1:1 pkts, 75:262 bytes, rule 34
   id: 4c866c79000000a8 creatorid: 0745b67e
all udp 64.187.65.74:49660 -> 64.187.64.4:53       MULTIPLE:SINGLE
   age 00:00:02, expires in 00:00:28, 1:1 pkts, 75:262 bytes, rule 27
   id: 4c866c79000000a9 creatorid: 0745b67e
all tcp 74.125.162.164:80 <- 64.187.65.74:43611       ESTABLISHED:ESTABLISHED
   [3695470236 + 40896] wscale 6  [3606132736 + 7872] wscale 6
   age 00:00:02, expires in 23:59:59, 99:104 pkts, 6965:152828 bytes, rule 34
   id: 4c866c79000000aa creatorid: 0745b67e
all tcp 64.187.65.74:43611 -> 74.125.162.164:80       ESTABLISHED:ESTABLISHED
   [3606132736 + 7872] wscale 6  [3695470236 + 40896] wscale 6
   age 00:00:02, expires in 23:59:59, 99:104 pkts, 6965:152828 bytes, rule 27
   id: 4c866c79000000ab creatorid: 0745b67e

#11 Updated by Ermal Luçi almost 9 years ago

This should be ok on latest snapshots as confirmed by others.
Please confirm or this will be put to resolved status.

#12 Updated by Jesse Norell almost 9 years ago

Tested with latest snapshot (2.0-BETA 4 (i386) built on Tue Dec 21 12:44:54 EST 2010), and still not working. Active mode ftp works, passive mode does not.

$ pfctl -vvss
all icmp 64.187.71.5:22089 -> 64.187.71.1       0:0
   age 00:00:28, expires in 00:00:09, 28:28 pkts, 1792:1792 bytes, rule 22
   id: 4d123f09000000de creatorid: f982436b
all tcp 64.187.65.73:80 <- 64.187.65.74:45857       ESTABLISHED:ESTABLISHED
   [108517432 + 64128] wscale 3  [958062932 + 66568] wscale 6
   age 00:00:25, expires in 24:00:00, 34:33 pkts, 5256:37003 bytes, rule 24
   id: 4d123f09000000df creatorid: f982436b
all udp 255.255.255.255:67 <- 0.0.0.0:68       NO_TRAFFIC:SINGLE
   age 00:00:23, expires in 00:00:29, 2:0 pkts, 656:0 bytes, rule 28
   id: 4d123f09000000e0 creatorid: f982436b
all udp 255.255.255.255:68 <- 64.187.71.4:67       NO_TRAFFIC:SINGLE
   age 00:00:23, expires in 00:00:29, 3:0 pkts, 984:0 bytes, rule 28
   id: 4d123f09000000e1 creatorid: f982436b
all udp 64.6.144.6:123 <- 64.187.65.74:123       SINGLE:MULTIPLE
   age 00:00:18, expires in 00:00:12, 1:1 pkts, 76:76 bytes, rule 29
   id: 4d123f09000000e2 creatorid: f982436b
all udp 64.187.65.74:123 -> 64.6.144.6:123       MULTIPLE:SINGLE
   age 00:00:18, expires in 00:00:12, 1:1 pkts, 76:76 bytes, rule 22
   id: 4d123f09000000e3 creatorid: f982436b
all udp 255.255.255.255:68 <- 172.19.0.2:67       NO_TRAFFIC:SINGLE
   age 00:00:18, expires in 00:00:42, 1:0 pkts, 328:0 bytes, rule 28
   id: 4d123f09000000e4 creatorid: f982436b
all udp 67.202.107.55:123 <- 64.187.65.74:123       SINGLE:MULTIPLE
   age 00:00:10, expires in 00:00:20, 1:1 pkts, 76:76 bytes, rule 29
   id: 4d123f09000000e5 creatorid: f982436b
all udp 64.187.65.74:123 -> 67.202.107.55:123       MULTIPLE:SINGLE
   age 00:00:10, expires in 00:00:20, 1:1 pkts, 76:76 bytes, rule 22
   id: 4d123f09000000e6 creatorid: f982436b
all tcp 64.187.65.74:21 <- 64.187.64.40:39872       ESTABLISHED:ESTABLISHED
   [1208096112 + 6912] wscale 6  [307474235 + 5824] wscale 6
   age 00:00:09, expires in 23:59:57, 14:13 pkts, 774:1431 bytes, rule 28
   id: 4d123f09000000e7 creatorid: f982436b
all tcp 64.187.64.40:39872 -> 64.187.65.74:21       ESTABLISHED:ESTABLISHED
   [307474235 + 5824] wscale 6  [1208096112 + 6912] wscale 6
   age 00:00:09, expires in 23:59:57, 14:13 pkts, 774:1431 bytes, rule 26
   id: 4d123f09000000e8 creatorid: f982436b
all udp 64.187.64.4:53 <- 64.187.65.74:54218       SINGLE:MULTIPLE
   age 00:00:09, expires in 00:00:21, 1:1 pkts, 71:165 bytes, rule 29
   id: 4d123f09000000e9 creatorid: f982436b
all udp 64.187.65.74:54218 -> 64.187.64.4:53       MULTIPLE:SINGLE
   age 00:00:09, expires in 00:00:21, 1:1 pkts, 71:165 bytes, rule 22
   id: 4d123f09000000ea creatorid: f982436b
all udp 64.187.64.4:53 <- 64.187.65.74:48692       SINGLE:MULTIPLE
   age 00:00:09, expires in 00:00:21, 1:1 pkts, 58:142 bytes, rule 29
   id: 4d123f09000000eb creatorid: f982436b
all udp 64.187.65.74:48692 -> 64.187.64.4:53       MULTIPLE:SINGLE
   age 00:00:09, expires in 00:00:21, 1:1 pkts, 58:142 bytes, rule 22
   id: 4d123f09000000ec creatorid: f982436b
all tcp 64.187.64.40:47798 -> 64.187.65.74       LISTEN:LISTEN
   [0 + 0]  [0 + 0]
   age 00:00:03, expires in 00:01:57, 0:0 pkts, 0:0 bytes, rule 26
   id: 4d123f09000000ed creatorid: f982436b
all tcp 64.187.65.74:47798 <- 64.187.64.40:54976       CLOSED:SYN_SENT
   [0 + 0]  [1640765136 + 2]
   age 00:00:03, expires in 00:01:57, 1:1 pkts, 60:88 bytes, rule 28
   id: 4d123f09000000ee creatorid: f982436b

To refresh (at least my) memory on what's what here, 64.187.64.40 was my ftp client, coming in the WAN, and 64.187.65.74 is my ftp server on the LAN. I have one rule allowing everything in the WAN interface, and 2 floating rules outbound on LAN interface, the first allows port 21, the second denies everything else. (The port 21 connection works, just the passive mode ftp data connection does not.) I am not using NAT.

In the above (last 2 entries), port 47798 was the ftp data connection; the all tcp 64.187.64.40:47798 -> 64.187.65.74 LISTEN:LISTEN has it listed as the source port of my client when it is in fact the destination port of the server for that connection (all tcp 64.187.65.74:47798 <- 64.187.64.40:54976 CLOSED:SYN_SENT is from the connection attempt my client actually made).

Also testing in the other direction also fails, though differently (conversely?). With the same rules as above, I ran an ftp client from 64.187.65.74, and there I can use passive mode ftp, but I can not use active mode.

#13 Updated by Chris Buechler almost 9 years ago

  • Status changed from Feedback to New

#14 Updated by Ermal Luçi almost 9 years ago

Well its a bug per se but i would not consider it critical for 2.0.
Its rather unusual to filter outgoing on a box that is why it was a second thought to finish this.

#15 Updated by Ermal Luçi almost 9 years ago

  • Target version changed from 2.0 to Future

#16 Updated by Ermal Luçi over 8 years ago

  • Status changed from New to Feedback

Try a newer snapshot than the date of this post it should fix the issue.
although this is not target for 2.0 the fix was needed for other cases so this was a byproduct of that.

#17 Updated by Jesse Norell over 8 years ago

There is some improvement, I can now use an ftp client on LAN in both passive or active mode, but still can't use passive mode to an ftp server on the LAN. This is with 2.0-BETA5 (i386) built on Wed Jan 19 02:10:47 EST 2011.

The behavior on the network is quite different now. My ftp control connection (port 21) worked fine, and active connections work fine, but when I changed to passive mode and tried a directory listing, the data connection actually succeeded (this was previously being reset), but the control connection was immediately reset (tcp RST to 64.187.64.40:34808).

$ pfctl -vvss
all icmp 64.187.71.5:53072 -> 64.187.71.1       0:0
   age 00:00:36, expires in 00:00:10, 37:37 pkts, 2368:2368 bytes, rule 26
   id: 4d371c240000025c creatorid: ef5db833
all tcp 64.187.65.73:80 <- 64.187.65.74:44055       ESTABLISHED:ESTABLISHED
   [1504293832 + 40640] wscale 3  [1348139511 + 66496] wscale 6
   age 00:00:25, expires in 24:00:00, 18:17 pkts, 3055:18142 bytes, rule 28
   id: 4d371c240000025d creatorid: ef5db833
all tcp 64.187.65.74:21 <- 64.187.64.40:34808       ESTABLISHED:ESTABLISHED
   [1510363712 + 6912] wscale 6  [1418967415 + 5824] wscale 6
   age 00:00:13, expires in 23:59:54, 14:15 pkts, 769:1757 bytes, rule 32
   id: 4d371c240000025e creatorid: ef5db833
all tcp 64.187.64.40:34808 -> 64.187.65.74:21       ESTABLISHED:ESTABLISHED
   [1418967415 + 5824] wscale 6  [1510363712 + 6861] wscale 6
   age 00:00:13, expires in 23:59:54, 13:14 pkts, 717:1677 bytes, rule 30
   id: 4d371c240000025f creatorid: ef5db833
all udp 64.187.64.4:53 <- 64.187.65.74:54290       SINGLE:MULTIPLE
   age 00:00:13, expires in 00:00:17, 1:1 pkts, 71:165 bytes, rule 33
   id: 4d371c2400000260 creatorid: ef5db833
all udp 64.187.65.74:54290 -> 64.187.64.4:53       MULTIPLE:SINGLE
   age 00:00:13, expires in 00:00:17, 1:1 pkts, 71:165 bytes, rule 26
   id: 4d371c2400000261 creatorid: ef5db833
all udp 64.187.64.4:53 <- 64.187.65.74:53727       SINGLE:MULTIPLE
   age 00:00:13, expires in 00:00:17, 1:1 pkts, 58:142 bytes, rule 33
   id: 4d371c2400000262 creatorid: ef5db833
all udp 64.187.65.74:53727 -> 64.187.64.4:53       MULTIPLE:SINGLE
   age 00:00:13, expires in 00:00:17, 1:1 pkts, 58:142 bytes, rule 26
   id: 4d371c2400000263 creatorid: ef5db833
all udp 69.65.40.29:123 <- 64.187.65.74:123       SINGLE:MULTIPLE
   age 00:00:12, expires in 00:00:18, 1:1 pkts, 76:76 bytes, rule 33
   id: 4d371c2400000264 creatorid: ef5db833
all udp 64.187.65.74:123 -> 69.65.40.29:123       MULTIPLE:SINGLE
   age 00:00:12, expires in 00:00:18, 1:1 pkts, 76:76 bytes, rule 26
   id: 4d371c2400000265 creatorid: ef5db833
all udp 72.18.205.157:123 <- 64.187.65.74:123       SINGLE:MULTIPLE
   age 00:00:11, expires in 00:00:20, 1:1 pkts, 76:76 bytes, rule 33
   id: 4d371c2400000266 creatorid: ef5db833
all udp 64.187.65.74:123 -> 72.18.205.157:123       MULTIPLE:SINGLE
   age 00:00:11, expires in 00:00:20, 1:1 pkts, 76:76 bytes, rule 26
   id: 4d371c2400000267 creatorid: ef5db833
all tcp 64.187.64.40:56319 -> 64.187.65.74:52979       FIN_WAIT_2:ESTABLISHED
   [1076337581 + 5824] wscale 6  [1631839020 + 5888] wscale 6
   age 00:00:06, expires in 00:14:54, 3:2 pkts, 164:112 bytes, rule 30
   id: 4d371c2400000268 creatorid: ef5db833
all tcp 64.187.65.74:52979 <- 64.187.64.40:56319       ESTABLISHED:FIN_WAIT_2
   [1631839020 + 5888] wscale 6  [1076337581 + 5824] wscale 6
   age 00:00:06, expires in 00:14:54, 3:2 pkts, 164:112 bytes, rule 32
   id: 4d371c2400000269 creatorid: ef5db833

Here was the what my ftp client saw happen (port 52979 was the data connection, 64.187.64.40 is my client on WAN, 64.187.65.74 is my ftp server on LAN, 64.187.71.5 is the pfsense WAN addr):

10:42:48.082820 IP 64.187.64.40.34808 > 64.187.65.74.21: Flags [P.], seq 28:34, ack 448, win 108, options [nop,nop,TS val 17743743 ecr 2082528], length 6
10:42:48.084804 IP 64.187.65.74.21 > 64.187.64.40.34808: Flags [P.], seq 448:499, ack 34, win 91, options [nop,nop,TS val 2083333 ecr 17743743], length 51
10:42:48.084850 IP 64.187.64.40.34808 > 64.187.65.74.21: Flags [.], ack 499, win 108, options [nop,nop,TS val 17743743 ecr 2083333], length 0
10:42:48.084921 IP 64.187.64.40.56319 > 64.187.65.74.52979: Flags [S], seq 852796517, win 5840, options [mss 1460,sackOK,TS val 17743743 ecr 0,nop,wscale 6], length 0
10:42:48.086302 IP 64.187.65.74.21 > 64.187.64.40.34808: Flags [R.], seq 499, ack 34, win 0, length 0
10:42:48.086552 IP 64.187.71.5 > 64.187.64.40: ICMP host 64.187.65.74 unreachable, length 60
10:42:48.086561 IP 64.187.65.74.52979 > 64.187.64.40.56319: Flags [S.], seq 1631839019, ack 852796518, win 5792, options [mss 1380,sackOK,TS val 2083333 ecr 17743743,nop,wscale 6], length 0
10:42:48.086586 IP 64.187.64.40.56319 > 64.187.65.74.52979: Flags [.], ack 1, win 92, options [nop,nop,TS val 17743743 ecr 2083333], length 0
10:42:48.086644 IP 64.187.64.40.56319 > 64.187.65.74.52979: Flags [F.], seq 1, ack 1, win 92, options [nop,nop,TS val 17743743 ecr 2083333], length 0
10:42:48.093547 IP 64.187.65.74.52979 > 64.187.64.40.56319: Flags [.], ack 2, win 91, options [nop,nop,TS val 2083335 ecr 17743743], length 0
^C

#18 Updated by Chris Buechler about 6 years ago

  • Status changed from Feedback to Closed

#19 Updated by Chris Buechler over 3 years ago

  • Target version deleted (Future)

Also available in: Atom PDF