Inbound Connections being Dropped

Hey guys, long time listener, first time caller ;)

First, apologies if this has been asked and answered before, I couldn't find it, though because I don't know what the problem is exactly, I guess I don't really know what I'm looking for.

Basically, as the subject suggests, all incoming connections are being dropped. This, despite all the software firewalls being turned off. I say software because there are a couple of hardware firewalls attached.

I know these aren't the problem because I can see incoming connections on the FreeBSD with tcpdump, and I can ping out from the server. tcpdump output is showing what would usually be a very one sided conversation; no connections are going out.

pf was enabled on there originally, but I have since removed this. Thats about as far as my inspiration has taken me... Any ideas?
 
"Inbound Connections being Dropped"
"no connections are going out"

Which is it? Or: post a few lines of tcpdump output illustrating the problem.
 
Sorry, I hadn't considered they were different- if inbound connections are being dropped before they get to me, they're not inbound connections.

To explain it better; the connections are getting to me, tcpdump shows an entire list of

Code:
$time $from > $me.proto $options

Without anything going the opposite way. (By way of an apology, I can't get the output from tcpdump from the attached console to here, which is why I'm insulting everybody's intelligence by explicitly prototyping the tcpdump output).

- That being said, ARP responses are being sent, but ICMP echoes, SSH connections, are being treated in such a way.

Once again, sorry for not being able to post output from that (Please don't make me type it out!)
 
@jamesc: So you're getting a bunch of TCP SYN packets, but no SYN-ACK is being sent.

Are you sure you really turned off pf? To verify:
# pfctl -s all | less

Check to make sure it's disabled (or barfs an error about pf.ko not being loaded or some such..).

That would be the most likely cause - packets being dropped by a host-level firewall. Otherwise you'd see the SYN-ACK, or at least an RST (for no service listening).

Alternatively, do you have a complex IP setup (multiple IPs trying to go through different routes)?
 
Sorry, I ought really to have updated this sooner. In the end we rebuilt the box again, we had two interfaces, each connected to a different firewall and some interesting routes setup. I have a feeling that whoever put these routes in did it wrong.

That being the only difference between the two boxes, the one I did and the one done before.

Though yes, to answer your question; pf was completely off iirc.

Thanks for your help, though.
 
In situations with multiple routes, remember to capture traffic on every routed interface while testing. (i.e. Asymmetric routing can occur. How to fix that depends on OS / context.)
 
Back
Top