outgoing SYN blocked even if it is allowed by ipf.rules

#1 (**permalink**) 07-25-2007

Hello,

I've a problem with some incoming call of a VideoConferencing system
which should pass my IPF firewall (v4.1.8); I've watched it on both
interfaces with tcpdump:

13:30:07.989088 IP xxx.xxx.xxx.xxx.3232 > 10.0.1.40.1720: S 356680283:356680283(0) win 8192 <mss 1460>
13:30:07.994005 IP 10.0.1.40.1720 > xxx.xxx.xxx.xxx.3232: S 85446234:85446234(0) ack 356680284 win 23360 <mss 536>
13:30:08.153383 IP xxx.xxx.xxx.xxx.3232 > 10.0.1.40.1720: . ack 1 win 8192
13:30:08.153391 IP xxx.xxx.xxx.xxx.3232 > 10.0.1.40.1720: P 1:5(4) ack 1 win 8192
13:30:08.154131 IP xxx.xxx.xxx.xxx.3232 > 10.0.1.40.1720: P 5:222(217) ack 1 win 8192
13:30:08.182341 IP 10.0.1.40.1720 > xxx.xxx.xxx.xxx.3232: P 1:104(103) ack 222 win 23139
13:30:08.320937 IP 10.0.1.40.1720 > xxx.xxx.xxx.xxx.3232: P 104:242(138) ack 222 win 23139
13:30:08.346463 IP xxx.xxx.xxx.xxx.3232 > 10.0.1.40.1720: . ack 104 win 8093
13:30:08.494931 IP xxx.xxx.xxx.xxx.3232 > 10.0.1.40.1720: . ack 242 win 8058

Now my VC tries (for some reason which I don't understand as well) to
initiate a new TCP session here:

13:30:08.499026 IP 10.0.1.40.2546 > xxx.xxx.xxx.xxx.3233: S 49301289:49301289(0) ack 979701897 win 23360 <mss 536>
13:30:08.499077 IP 10.0.1.136 > 10.0.1.40: ICMP host xxx.xxx.xxx.xxx unreachable, length 36

which gets blocked by the IPF (2nd line):

Jul 25 13:30:08 cazador ipmon[362]: 13:30:07.989080 em1 @0:74 p xxx.xxx.xxx.xxx,3232 -> 10.0.1.40,1720 PR tcp len 20 44 -S K-S IN NAT
Jul 25 13:30:09 cazador ipmon[362]: 13:30:08.499067 em1 @0:111 b 10.0.1.40,2546 -> xxx.xxx.xxx.xxx,3233 PR tcp len 20 44 -AS OUT

the line in ipf.rules is:

pass out log first quick on em1 proto tcp from any to xxx.xxx.xxx.xxx flags S keep state

Why the traffic 'TCP 10.0.1.40.2546 > xxx.xxx.xxx.xxx.3233: SYN' does not
match the rule?

Thx in advance

matthias

--
Matthias Apitz
Manager Technical Support - OCLC PICA GmbH
Gruenwalder Weg 28g - 82041 Oberhaching - Germany
t +49-89-61308 351 - f +49-89-61308 399 - m +49-170-4527211
e <m.apitz@oclcpica.org> - w http://www.oclcpica.org/ http://www.UnixArea.de/
b http://gurucubano.blogspot.com/
OCLC PICA GmbH, Geschaeftsfuehrer: Christine Magin-Weeger, Norbert Weinberger
Sitz der Gesellschaft: Oberhaching, HRB Muenchen: 113261

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode