tech-net archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: ipfilter randomly dropping (ssh-)connections
On Wed, Jun 11, 2014 at 05:57:22PM +0200, Petar Bogdanovic wrote:
>
> A quick tcpdump revealed that the server side at one point just FINs
> the connection and then spams the client with a bunch of TCP resets.
ipmon doesn't seem to register that final FIN. Here are the first and
last few lines of a dropped ssh-session as seen by ipmon. Note how -AF
(or -APF as seen by tcpdump) never happens:
04:00:03.179745 re0 @0:15 p [77.X.X.X],55343 -> [85.X.X.X],ssh PR
tcp len 20 64 -S 2750905065 0 32768 K-S K-F IN
04:00:03.179774 re0 @0:15 p [85.X.X.X],ssh -> [77.X.X.X],55343 PR
tcp len 20 64 -AS 2937736002 2750905066 32768 K-S K-F OUT
04:00:03.219809 re0 @0:15 p [77.X.X.X],55343 -> [85.X.X.X],ssh PR
tcp len 20 52 -A 2750905066 2937736003 4197 K-S K-F IN
04:00:03.232809 re0 @0:15 p [85.X.X.X],ssh -> [77.X.X.X],55343 PR
tcp len 20 115 -AP 2937736003 2750905066 4197 K-S K-F OUT
04:00:03.277810 re0 @0:15 p [77.X.X.X],55343 -> [85.X.X.X],ssh PR
tcp len 20 115 -AP 2750905066 2937736066 4197 K-S K-F IN
04:00:03.280355 re0 @0:15 p [85.X.X.X],ssh -> [77.X.X.X],55343 PR
tcp len 20 852 -AP 2937736066 2750905129 4197 K-S K-F OUT
04:00:03.322407 re0 @0:15 p [77.X.X.X],55343 -> [85.X.X.X],ssh PR
tcp len 20 1156 -AP 2750905129 2937736866 4097 K-S K-F IN
04:00:03.515999 re0 @0:15 p [85.X.X.X],ssh -> [77.X.X.X],55343 PR
tcp len 20 52 -A 2937736866 2750906233 4197 K-S K-F OUT
04:00:03.555799 re0 @0:15 p [77.X.X.X],55343 -> [85.X.X.X],ssh PR
tcp len 20 132 -AP 2750906233 2937736866 4197 K-S K-F IN
04:00:03.561757 re0 @0:15 p [85.X.X.X],ssh -> [77.X.X.X],55343 PR
tcp len 20 500 -AP 2937736866 2750906313 4197 K-S K-F OUT
04:00:03.627697 re0 @0:15 p [77.X.X.X],55343 -> [85.X.X.X],ssh PR
tcp len 20 68 -AP 2750906313 2937737314 4197 K-S K-F IN
04:00:03.826129 re0 @0:15 p [85.X.X.X],ssh -> [77.X.X.X],55343 PR
tcp len 20 52 -A 2937737314 2750906329 4197 K-S K-F OUT
(...)
04:00:27.821939 re0 @0:15 p [77.X.X.X],55343 -> [85.X.X.X],ssh PR
tcp len 20 52 -A 2757392265 2945862410 12027 K-S K-F IN
04:00:27.821948 2x,re0 @0:15 p [85.X.X.X],ssh -> [77.X.X.X],55343 PR
tcp len 20 1500 -A 2945955082 2757392265 10341 K-S K-F OUT
04:00:27.821998 3x,re0 @0:15 p [77.X.X.X],55343 -> [85.X.X.X],ssh PR
tcp len 20 52 -A 2757392265 2945865306 11665 K-S K-F IN
04:00:27.822028 6x,re0 @0:15 p [85.X.X.X],ssh -> [77.X.X.X],55343 PR
tcp len 20 1500 -A 2945957978 2757392265 10341 K-S K-F OUT
04:00:27.823735 3x,re0 @0:15 p [77.X.X.X],55343 -> [85.X.X.X],ssh PR
tcp len 20 52 -A 2757392265 2945871098 12027 K-S K-F IN
04:00:27.823774 4x,re0 @0:15 p [85.X.X.X],ssh -> [77.X.X.X],55343 PR
tcp len 20 1500 -A 2945966666 2757392265 10341 K-S K-F OUT
04:00:27.823822 re0 @0:15 p [77.X.X.X],55343 -> [85.X.X.X],ssh PR
tcp len 20 100 -AP 2757392265 2945875442 12389 K-S K-F IN
04:00:27.823828 re0 @0:15 p [77.X.X.X],55343 -> [85.X.X.X],ssh PR
tcp len 20 52 -A 2757392313 2945878338 12027 K-S K-F IN
04:00:27.823848 re0 @0:15 p [85.X.X.X],ssh -> [77.X.X.X],55343 PR
tcp len 20 1500 -A 2945972458 2757392313 10335 K-S K-F OUT
04:00:27.824013 3x,re0 @0:15 p [77.X.X.X],55343 -> [85.X.X.X],ssh PR
tcp len 20 52 -A 2757392313 2945881234 11665 K-S K-F IN
04:00:27.824069 4x,re0 @0:15 p [85.X.X.X],ssh -> [77.X.X.X],55343 PR
tcp len 20 1500 -A 2945973906 2757392313 10341 K-S K-F OUT
04:00:27.824130 re0 @0:15 p [77.X.X.X],55343 -> [85.X.X.X],ssh PR
tcp len 20 52 -A 2757392313 2945887026 12027 K-S K-F IN
04:00:27.824140 2x,re0 @0:15 p [85.X.X.X],ssh -> [77.X.X.X],55343 PR
tcp len 20 1500 -A 2945979698 2757392313 10341 K-S K-F OUT
04:00:27.824173 3x,re0 @0:15 p [77.X.X.X],55343 -> [85.X.X.X],ssh PR
tcp len 20 52 -A 2757392313 2945889922 11665 K-S K-F IN
04:00:27.824202 4x,re0 @0:15 p [85.X.X.X],ssh -> [77.X.X.X],55343 PR
tcp len 20 1500 -A 2945982594 2757392313 10341 K-S K-F OUT
04:00:27.824241 re0 @0:15 p [77.X.X.X],55343 -> [85.X.X.X],ssh PR
tcp len 20 52 -A 2757392313 2945895714 12027 K-S K-F IN
04:00:27.824250 2x,re0 @0:15 p [85.X.X.X],ssh -> [77.X.X.X],55343 PR
tcp len 20 1500 -A 2945988386 2757392313 10341 K-S K-F OUT
04:00:27.824285 3x,re0 @0:15 p [77.X.X.X],55343 -> [85.X.X.X],ssh PR
tcp len 20 52 -A 2757392313 2945898610 11665 K-S K-F IN
04:00:27.826016 4x,re0 @0:15 p [85.X.X.X],ssh -> [77.X.X.X],55343 PR
tcp len 20 1500 -A 2945991282 2757392313 10341 K-S K-F OUT
04:00:27.826078 re0 @0:15 p [77.X.X.X],55343 -> [85.X.X.X],ssh PR
tcp len 20 52 -A 2757392313 2945904402 12027 K-S K-F IN
04:00:27.826087 2x,re0 @0:15 p [85.X.X.X],ssh -> [77.X.X.X],55343 PR
tcp len 20 1500 -A 2945997074 2757392313 10341 K-S K-F OUT
04:00:27.826120 2x,re0 @0:15 p [77.X.X.X],55343 -> [85.X.X.X],ssh PR
tcp len 20 52 -A 2757392313 2945907298 11665 K-S K-F IN
04:00:27.826143 4x,re0 @0:15 p [85.X.X.X],ssh -> [77.X.X.X],55343 PR
tcp len 20 1500 -A 2945999970 2757392313 10341 K-S K-F OUT
04:00:27.826183 re0 @0:15 p [77.X.X.X],55343 -> [85.X.X.X],ssh PR
tcp len 20 52 -A 2757392313 2945911642 12027 K-S K-F IN
04:00:27.826192 re0 @0:15 p [85.X.X.X],ssh -> [77.X.X.X],55343 PR
tcp len 20 1500 -A 2946005762 2757392313 10341 K-S K-F OUT
04:00:27.826215 re0 @0:15 p [77.X.X.X],55343 -> [85.X.X.X],ssh PR
tcp len 20 52 -A 2757392313 2945914538 11665 K-S K-F IN
Is this something for the ipfilter ML?
Full ipmon log: http://pastebin.com/raw.php?i=R3ACgNQa
Home |
Main Index |
Thread Index |
Old Index