URL: https://www.opennet.me/cgi-bin/openforum/vsluhboard.cgi
Форум: vsluhforumID1
Нить номер: 82952
[ Назад ]

Исходное сообщение
"freebsd7: валят сообщения syncache_expand и tcp_do_segment"

Отправлено MarvinFS , 19-Ноя-08 11:31 
Господа усиленно гуглиг, но ничего невыгуглил!

Стоит FreeBSD7.0 и pf в качестве файрвола
Конфигурация лаборатории такова:
локальная машина с winxp sp3  -> неуправляемый свитч Compex -> машина с FBSD c 2мя интерфейсами один из них с фиксированным внешним белым IP ->выход в инет.

собрал сквид из сырцов с офф сайта (пробовал собирать 2.7stable5 и 2.6stable22- результат одинаковый)

./configure
--enable-auth="ntlm,basic"
--enable-basic-auth-helpers="PAM MSNT SMB"
--enable-external-acl-helpers="wbinfo_group"
--enable-delay-pools
--enable-pf-transparent
--enable-storeio=diskd,ufs
--disable-ident-lookups
--enable-snmp
--enable-removal-policies
--enable-ntlm-auth-helpers="SMB"

сквид настроен без авторизации пропускать просто локальную сеть, слушает соединения на порту 3128 на внутреннем интерфейсе. в логе самого сквида ошибок никаких нету.


в логах /var/logs/messages стали валить постоянно следующие ошибки.

19-11-2008    13:04:40    Nov 19 13:05:19 kernel: TCP: [192.168.0.1]:4985 to [192.168.0.2]:3128 tcpflags 0x18<PUSH,ACK>; tcp_do_segment: FIN_WAIT_2: Received 27 bytes of data after socket was closed, sending RST and removing tcpcb
19-11-2008    13:04:10    Nov 19 13:04:49 kernel: TCP: [192.168.0.1]:4984 to [192.168.0.2]:3128 tcpflags 0x11<FIN,ACK>; syncache_expand: Segment failed SYNCOOKIE authentication, segment rejected (probably spoofed)
19-11-2008    13:04:10    Nov 19 13:04:49 kernel: TCP: [192.168.0.1]:4984 to [192.168.0.2]:3128 tcpflags 0x18<PUSH,ACK>; tcp_do_segment: FIN_WAIT_2: Received 27 bytes of data after socket was closed, sending RST and removing tcpcb
19-11-2008    13:02:20    Nov 19 13:02:59 kernel: TCP: [192.168.0.1]:4968 to [192.168.0.2]:3128 tcpflags 0x11<FIN,ACK>; syncache_expand: Segment failed SYNCOOKIE authentication, segment rejected (probably spoofed)
19-11-2008    13:02:20    Nov 19 13:02:59 kernel: TCP: [192.168.0.1]:4968 to [192.168.0.2]:3128 tcpflags 0x18<PUSH,ACK>; syncache_expand: Segment failed SYNCOOKIE authentication, segment rejected (probably spoofed)
19-11-2008    13:02:20    Nov 19 13:02:59 kernel: TCP: [192.168.0.1]:4969 to [192.168.0.2]:3128 tcpflags 0x11<FIN,ACK>; syncache_expand: Segment failed SYNCOOKIE authentication, segment rejected (probably spoofed)
19-11-2008    13:02:20    Nov 19 13:02:59 kernel: TCP: [192.168.0.1]:4969 to [192.168.0.2]:3128 tcpflags 0x18<PUSH,ACK>; syncache_expand: Segment failed SYNCOOKIE authentication, segment rejected (probably spoofed)
19-11-2008    13:02:09    Nov 19 13:02:48 kernel: TCP: [192.168.0.1]:4966 to [192.168.0.2]:3128 tcpflags 0x18<PUSH,ACK>; syncache_expand: Segment failed SYNCOOKIE authentication, segment rejected (probably spoofed)
19-11-2008    13:02:09    Nov 19 13:02:48 kernel: TCP: [192.168.0.1]:4967 to [192.168.0.2]:3128 tcpflags 0x11<FIN,ACK>; syncache_expand: Segment failed SYNCOOKIE authentication, segment rejected (probably spoofed)
19-11-2008    13:02:09    Nov 19 13:02:48 kernel: TCP: [192.168.0.1]:4967 to [192.168.0.2]:3128 tcpflags 0x18<PUSH,ACK>; syncache_expand: Segment failed SYNCOOKIE authentication, segment rejected (probably spoofed)

и так постоянно, это идет соединение с локальной клинтской машины на сквид, при этом каких либо ненормальностей в самом соединении не наблюдается, просто расстраивают заваленные логи... Что делать?!

log_in_vain=0
или установка соответствующих sysctl переменных в 0 результата не дает.

опции ядра:

machine i386
#cpu    I486_CPU
#cpu    I586_CPU
cpu   I686_CPU
ident   my_kern
maxusers 0

#makeoptions  DEBUG=-g    # Build kernel with gdb(1) debug symbols

options   SCHED_4BSD    # 4BSD scheduler
options   PREEMPTION    # Enable kernel thread preemption
options   INET      # InterNETworking
#options  INET6     # IPv6 communications protocols
#options  SCTP      # Stream Control Transmission Protocol
options   FFS     # Berkeley Fast Filesystem
options   SOFTUPDATES   # Enable FFS soft updates support
options   UFS_ACL     # Support for access control lists
options   UFS_DIRHASH   # Improve performance on big directories
options   UFS_GJOURNAL    # Enable gjournal-based UFS journaling
#options  MD_ROOT     # MD is a potential root device
#options  NFSCLIENT   # Network Filesystem Client
#options  NFSSERVER   # Network Filesystem Server
#options  NFS_ROOT    # NFS usable as /, requires NFSCLIENT
#options  MSDOSFS     # MSDOS Filesystem
options   CD9660      # ISO 9660 Filesystem
options   PROCFS      # Process filesystem (requires PSEUDOFS)
options   PSEUDOFS    # Pseudo-filesystem framework
options   GEOM_PART_GPT   # GUID Partition Tables.
options   GEOM_LABEL    # Provides labelization
options   COMPAT_43TTY    # BSD 4.3 TTY compat [KEEP THIS!]
options   COMPAT_FREEBSD4   # Compatible with FreeBSD4
options   COMPAT_FREEBSD5   # Compatible with FreeBSD5
options   COMPAT_FREEBSD6   # Compatible with FreeBSD6
options   KTRACE      # ktrace(1) support
options   SYSVSHM     # SYSV-style shared memory
options   SYSVMSG     # SYSV-style message queues
options   SYSVSEM     # SYSV-style semaphores
options   _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions
options   KBD_INSTALL_CDEV  # install a CDEV entry in /dev
options   ADAPTIVE_GIANT    # Giant mutex is adaptive.
options   STOP_NMI    # Stop CPUS using NMI instead of IPI
options   AUDIT     # Security event auditing
options         VGA_WIDTH90
options         VESA
options         SC_DFLT_FONT
makeoptions     SC_DFLT_FONT=cp866
options         SC_HISTORY_SIZE=1000
options         SC_PIXEL_MODE
options         SC_NORM_ATTR="(FG_GREEN|BG_BLACK)"
options         SC_NORM_REV_ATTR="(FG_YELLOW|BG_GREEN)"
options         SC_KERNEL_CONS_ATTR="(FG_RED|BG_BLACK)"
options         SC_KERNEL_CONS_REV_ATTR="(FG_BLACK|BG_RED)"
options ALTQ
options ALTQ_CBQ # Class Bases Queueing
options ALTQ_RED # Random Early Detection
options ALTQ_RIO # RED In/Out
options ALTQ_HFSC # Hierarchical Packet Scheduler
options ALTQ_CDNR # Traffic conditioner
options ALTQ_PRIQ # Priority Queueing
options SC_DISABLE_REBOOT # Disable Ctrl+Alt+Del
options RANDOM_IP_ID # Enables random IP ID generation
        ^^^^^^^^^^^^
        вот это не может быть причиной?!

вот мой pf.conf
ext_if="fxp0"   # macro for external interface - use tun0 for PPPoE
int_if="vr0"    # replace with actual internal interface name i.e., dc1
table <LANclients> { 192.168.0.0/24 }
clients_tcp_ports =" {ftp, ssh, domain, pop3, nntp, \
                      https, http, 8000, 8080, 8081, 8082, pop3s,\
              imap, imaps, 5190, ntp, 3128, 411, 3389 }"
clients_udp_ports = "{ domain,ntp }"
icmp_types = "{echoreq, unreach}"
martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, \
    169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }"
set limit { states 10000, frags 5000 }
set loginterface $ext_if
set optimization normal
set block-policy drop
set require-order yes
set fingerprints "/etc/pf.os"
set skip on { lo0, lo1 }

scrub in all fragment reassemble
      
#### NAT and RDR SECTION START
nat-anchor "pftpx/*"
rdr-anchor "pftpx/*"
rdr-anchor miniupnpd
nat on $ext_if from <LANclients> -> ($ext_if)

# Redirect ftp traffic FROM LAN to proxy
rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021

# Redirect ftp traffic FROM WAN TO LAN to proxy
rdr pass on $ext_if proto tcp to port ftp -> 127.0.0.1 port 8021
      
#### FILTERING SECTION START
block log all

# pass all in\out traffic on internal IF
pass in quick on $int_if all
pass out quick on $int_if all

anchor "pftpx/*"

block in quick from urpf-failed
antispoof for $ext_if

block drop in quick on $ext_if from $martians to any
block drop out quick on $ext_if from any to $martians

# block certain inet attacks specific to MY INTERNET SEGMENT
block drop in quick on $ext_if proto {tcp,udp} to port {137,138,139,445,67,1900}
block drop in quick on $ext_if proto {tcp,udp} from port {8086}
#logs all NMAP scans attempts
block in log quick from any os NMAP
block in quick on $ext_if inet proto tcp flags FUP/FUP
block in quick on $ext_if inet proto tcp flags SF/SFRA
block in quick on $ext_if inet proto tcp flags /SFRA
        
pass out on $ext_if proto udp from any to any port 33433 >< 33626
pass inet proto icmp icmp-type $icmp_types

#allow incoming SSH to server
pass in  on $ext_if proto tcp to $ext_if port 22
      
#passing traffic fron LAN clients to specified WAN ports.
pass out on $ext_if proto tcp to port $clients_tcp_ports
pass out on $ext_if proto udp to port $clients_udp_ports
pass out on $ext_if proto tcp from ($ext_if) port 3128 to any
pass in on $ext_if proto tcp from port {ftp, ftp-data}

вот rc.conf
gateway_enable="YES"
hostname="nessy.home.local"
defaultrouter="195.64.xx.xx"
ifconfig_fxp0="inet 195.64.xx.xx  netmask 255.255.255.192"
ifconfig_vr0="inet 192.168.0.2  netmask 255.255.255.0"
sshd_enable="YES"
dhcpd_enable="YES"
dhcpd_ifaces="vr0"
named_enable="yes"
pf_enable="YES"                 # Включить PF (загрузить модуль если необходимо)
pf_rules="/etc/pf.conf"         # определение правил для pf
pf_flags=""                     # дополнительные флаги для запуска pfctl
pflog_enable="YES"              # запустить pflogd(8)
pflog_logfile="/var/log/pf.log"  # где pflogd должен сохранять протокол
pflog_flags=""                  # дополнительные флаги для запуска pflogd
pftpx_enable="YES"
pftpx_flags="-D 0 -f 192.168.0.1 -p 195.64.xx.xx"
keymap="ru.koi8-r"
mousechar_start="3"
scrnmap="NO"
allscreens_flags="-g 100x37 VESA_800x600"
font8x14="cp866-8x14"
font8x16="cp866b-8x16"
font8x8="cp866-8x8"
sendmail_enable="NONE"
portmap_enable="NO"
inetd_enable="NO"
clear_tmp_enable="YES"
syslogd_flags=""
icmp_drop_redirect="YES"
icmp_log_redirect="YES"
log_in_vain="YES"
miniupnpd_enable="YES"
miniupnpd_config="/usr/local/etc/miniupnpd.conf"
miniupnpd_flags=""
icmp_bmcastecho="NO"
tcp_keepalive="YES"
tcp_drop_synfin="YES"
tcp_extensions="YES" # RFC 1323 - TCP Extensions for High Performance
fsck_y_enable="YES"
check_quotas="NO"
virecover_enable="NO"
update_motd="NO"


вот sysctl.conf
security.bsd.see_other_uids=0
net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1
net.inet.ip.random_id=1
kern.ipc.somaxconn=16384
kern.ipc.nmbclusters=32768
kern.ipc.maxsockets=32768
kern.ipc.maxsockbuf=16777216
net.inet.tcp.rfc1323=1
net.inet.tcp.sendspace=1048576
net.inet.tcp.recvspace=1048576
net.inet.icmp.bmcastecho=0
kern.maxfiles=65536
kern.maxfilesperproc=32768
net.inet.ip.check_interface=1 # protection against spoof ip packets
net.inet.icmp.maskrepl=0
net.inet.tcp.rfc3042=1 # Enhancing TCP's Loss Recovery Using Limited Transmit
net.inet.tcp.rfc3390=1 # Increasing TCP's Initial Window
net.inet.tcp.sack.enable=1
net.inet.tcp.delayed_ack=0
net.inet.tcp.keepidle=300000
net.inet.tcp.keepintvl=150
net.inet.udp.recvspace=65535
net.inet.udp.blackhole=1
net.inet.udp.maxdgram=57344
net.local.stream.recvspace=65535
net.local.stream.sendspace=65535


Содержание

Сообщения в этом обсуждении
"freebsd7: валят сообщения syncache_expand и tcp_do_segment"
Отправлено MarvinFS , 19-Ноя-08 22:04 
обновился до ветки 8-current собрал мир пересобрал ядро без
options RANDOM_IP_ID # Enables random IP ID generation

всё равно.. прут те-же ошибки... идеи кончились...