Re: state table not working

Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxxxxxx> · Fri, 18 Jun 2004 22:09:42 +0200 (CEST)

On Fri, 18 Jun 2004, Daniel Wittenberg wrote:

> I've got a firewall I've been supporting for awhile, and few months
> things have been screwy, and I think I've narrowed it down.
> Originally it looked like a bug in proftpd, but now it looks like
> connections that are stateful stop working.  What seems to happen is
> that after a period of time (almost 2 weeks now), passive mode ftp
> stops working, but active mode still works.  Is there anything that
> can be checked/traced to check what the connection table is like?  I
> have watched for errors in dmesg and /var/log/message (fedora core 1
> box), about connection table full, but nothing there.  Here's part of
> the trace when things broke:
>
> 1.2.3.4 is outside host
>
>  0.181007 192.168.254.7 -> 1.2.3.4 FTP Response: 230 User <user> logged in.
>   0.214498 1.2.3.4 -> 192.168.254.7 FTP Request: TYPE I
>   0.215631 192.168.254.7 -> 1.2.3.4 FTP Response: 200 Type set to I
>   0.260922 1.2.3.4 -> 192.168.254.7 FTP Request: PWD
>   0.262036 192.168.254.7 -> 1.2.3.4 FTP Response: 257 "/" is current directory.
>   0.344486 1.2.3.4 -> 192.168.254.7 TCP 56178 > ftp [ACK] Seq=39 Ack=147
> Win=5840 Len=0 TSV=250989004 TSER=112409764
>   0.362754 1.2.3.4 -> 192.168.254.7 FTP Request: PASV
>   0.363917 192.168.254.7 -> 1.2.3.4 FTP Response: 227 Entering Passive Mode
> (192,168,254,7,8,202).
>   0.407829 1.2.3.4 -> 192.168.254.7 TCP 56178 > ftp [ACK] Seq=45 Ack=197
> Win=5840 Len=0 TSV=250989010 TSER=112409774
>   0.407907 1.2.3.4 -> 192.168.254.7 TCP 56179 > 2250 [SYN] Seq=0 Ack=0 Win=5840
> Len=0 MSS=1460 TSV=250989010 TSER=0 WS=0
>   3.400629 1.2.3.4 -> 192.168.254.7 TCP 56179 > 2250 [SYN] Seq=0 Ack=0 Win=5840
> Len=0 MSS=1460 TSV=250989310 TSER=0 WS=0
>   9.400613 1.2.3.4 -> 192.168.254.7 TCP 56179 > 2250 [SYN] Seq=0 Ack=0 Win=5840
> Len=0 MSS=1460 TSV=250989910 TSER=0 WS=0
>  11.114693 1.2.3.4 -> 192.168.254.7 TCP 56178 > ftp [FIN, ACK] Seq=45 Ack=197
> Win=5840 Len=0 TSV=250990074 TSER=112409774

Please post your exact kernel version number, loaded in kernel modules,
your complete ruleset *and* a real tcpdump output.

Server SYN/ACK response does not reach the client: that's all one can say.

Best regards,
Jozsef
-
E-mail  : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxxxxx
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary