Subject: kern/28982: IPF's blocking of (outgoing) out-of-window (OOW) packets
To: None <kern-bug-people@netbsd.org, gnats-admin@netbsd.org,>
From: None <sutre@labri.fr>
List: netbsd-bugs
Date: 01/16/2005 14:21:00
>Number:         28982
>Category:       kern
>Synopsis:       CVS and LPRng fail to work because of blocked out-of-window packets
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Jan 16 14:21:00 +0000 2005
>Originator:     sutre@labri.fr
>Release:        NetBSD 2.0   (source date: Jan 11 2005)
>Organization:
>Environment:
System: NetBSD gavarnie 2.0 NetBSD 2.0 (GAVARNIE) #0: Wed Jan 12 01:45:55 CET 2005 instsoft@gavarnie:/usr/build/usr/src/sys/arch/i386/compile/GAVARNIE i386
Architecture: i386
Machine: i386
>Description:
IPF seems to block some legitimate outgoing out-of-window packets, which
causes cvs and LPRng's lpr to abort on my NetBSD 2.0 (2005-01-11) box.

This machine IP address is 192.168.0.17 and the /etc/ipf.conf used in
the following tests is:

------------------------------------------------------------------------
# Default policy
block in  log all
block out log all

# Allow all traffic on loopback
pass in  quick on lo0 all
pass out quick on lo0 all

# Allow all outbound connections
pass out quick on ex0 proto tcp  from any to any		\
                      flags S keep state keep frags
pass out quick on ex0 proto icmp from any to any		\
                      keep state keep frags
pass out quick on ex0 proto udp  from any to any		\
                      keep state keep frags
------------------------------------------------------------------------

* CVS : running `cvs update' in /usr/pkgsrc fails with:

  $ cvs update
  Write failed: Permission denied
  cvs [update aborted]: received broken pipe signal

  and ipmon reports:

  12/01/2005 23:43:01.858100 ex0 @0:1 b 192.168.0.17,65511 -> 132.227.74.11,22 PR tcp len 20 1500 -AP OUT OOW
  12/01/2005 23:43:01.858486 ex0 @0:1 b 192.168.0.17,65511 -> 132.227.74.11,22 PR tcp len 20 52 -AF OUT OOW

  The corresponding tcpdump trace is given below.  The CVS server being
  used is anoncvs.fr.netbsd.org (132.227.74.11).

  I observed that this problem only occurs when this box is connected to
  my home LAN (it does not occur on my office LAN), and moreover, in
  some cases, it did not occur just after a reboot.


* LPRng's lpr : sending a printing request to an lprng server located on
  the local network (192.168.0.2) fails with:

  $ /usr/pkg/bin/lpr -Pdoisneau@192.168.0.2 /tmp/foo.ps
  Status Information, attempt 1 of 3:
  sending job 'sutre@gavarnie+713' to doisneau@192.168.0.2
   connecting to '192.168.0.2', attempt 1
   connected to '192.168.0.2'
   requesting printer doisneau@192.168.0.2
   sending control file 'cfA713gavarnie.' to doisneau@192.168.0.2
   completed sending 'cfA713gavarnie.' to doisneau@192.168.0.2
   sending data file 'dfA713gavarnie.' to doisneau@192.168.0.2
   job 'sutre@gavarnie+713' transfer to doisneau@192.168.0.2 failed
    error 'ERROR TRANSFERRING DATA'
    sending data file 'dfA713gavarnie.' to doisneau@192.168.0.2
   error msg: '^Bdoisneau: transfer of 'dfA713gavarnie.' from 'gavarnie' failed'
  Waiting 10 seconds before retry
  Status Information, attempt 2 of 3:
  sending job 'sutre@gavarnie+713' to doisneau@192.168.0.2
   connecting to '192.168.0.2', attempt 1
   connected to '192.168.0.2'
   requesting printer doisneau@192.168.0.2
   sending control file 'cfA713gavarnie.' to doisneau@192.168.0.2
   completed sending 'cfA713gavarnie.' to doisneau@192.168.0.2
   sending data file 'dfA713gavarnie.' to doisneau@192.168.0.2
   job 'sutre@gavarnie+713' transfer to doisneau@192.168.0.2 failed
    error 'ERROR TRANSFERRING DATA'
    sending data file 'dfA713gavarnie.' to doisneau@192.168.0.2
   error msg: '^Bdoisneau: transfer of 'dfA713gavarnie.' from 'gavarnie' failed'
  Waiting 10 seconds before retry
  sending job 'sutre@gavarnie+713' to doisneau@192.168.0.2
   connecting to '192.168.0.2', attempt 1
   connected to '192.168.0.2'
   requesting printer doisneau@192.168.0.2
   sending control file 'cfA713gavarnie.' to doisneau@192.168.0.2
   completed sending 'cfA713gavarnie.' to doisneau@192.168.0.2
   sending data file 'dfA713gavarnie.' to doisneau@192.168.0.2
   job 'sutre@gavarnie+713' transfer to doisneau@192.168.0.2 failed
    error 'ERROR TRANSFERRING DATA'
    sending data file 'dfA713gavarnie.' to doisneau@192.168.0.2
   error msg: '^Bdoisneau: transfer of 'dfA713gavarnie.' from 'gavarnie' failed'

  and ipmon reports:

  12/01/2005 23:47:10.027815 3x ex0 @0:1 b 192.168.0.17,760 -> 192.168.0.2,515 PR tcp len 20 1500 -A OUT OOW
  12/01/2005 23:47:21.083988 2x ex0 @0:1 b 192.168.0.17,761 -> 192.168.0.2,515 PR tcp len 20 1500 -A OUT OOW
  12/01/2005 23:47:21.124115 ex0 @0:1 b 192.168.0.17,761 -> 192.168.0.2,515 PR tcp len 20 1500 -A OUT OOW
  12/01/2005 23:47:32.136640 3x ex0 @0:1 b 192.168.0.17,762 -> 192.168.0.2,515 PR tcp len 20 1500 -A OUT OOW

  The print server (192.168.0.2) is a Debian/Linux 2.6.9 (i686) box with
  LPRng 3.8.28.

  The corresponding tcpdump trace is given below.

  I observed that this kind of printing problem only occurs when this
  box is connected to my home LAN (it does not occur on my office LAN,
  but the print server is not LPRng there).



Now, when I add the following lines in /etc/ipf.conf (at the end):

### Workaround OOW out blocking -----------------------------------------

# CVS on anoncvs.fr.netbsd.org from home
pass out log quick on ex0 proto tcp  from 192.168.0.17 to 132.227.74.11	\
                      port = 22 flags A/SA with oow

# LPR on 192.168.0.2 at home
pass out log quick on ex0 proto tcp  from 192.168.0.17 to 192.168.0.2	\
                      port = 515 flags A/SA with oow

### ---------------------------------------------------------------------

then these problems disappear (CVS and LPRng's lpr work as expected), and
the corresponding logs from ipmon show that the OOW packets are now let
through (as expected):

* CVS : `cvs update' in /usr/pkgsrc aborted after some time with Ctrl-C.

  12/01/2005 23:52:16.246011 10x ex0 @0:6 p 192.168.0.17,65509 -> 132.227.74.11,22 PR tcp len 20 1500 -AP OUT OOW
  12/01/2005 23:52:16.881968 16x ex0 @0:6 p 192.168.0.17,65509 -> 132.227.74.11,22 PR tcp len 20 1500 -AP OUT OOW
  12/01/2005 23:52:17.900170 17x ex0 @0:6 p 192.168.0.17,65509 -> 132.227.74.11,22 PR tcp len 20 1500 -AP OUT OOW
  12/01/2005 23:52:18.938753 16x ex0 @0:6 p 192.168.0.17,65509 -> 132.227.74.11,22 PR tcp len 20 1500 -AP OUT OOW
  12/01/2005 23:52:19.914068 14x ex0 @0:6 p 192.168.0.17,65509 -> 132.227.74.11,22 PR tcp len 20 1500 -AP OUT OOW
  12/01/2005 23:52:20.931385 16x ex0 @0:6 p 192.168.0.17,65509 -> 132.227.74.11,22 PR tcp len 20 1500 -AP OUT OOW
  12/01/2005 23:52:21.928500 16x ex0 @0:6 p 192.168.0.17,65509 -> 132.227.74.11,22 PR tcp len 20 1500 -AP OUT OOW
  12/01/2005 23:52:22.945243 16x ex0 @0:6 p 192.168.0.17,65509 -> 132.227.74.11,22 PR tcp len 20 1500 -AP OUT OOW
  12/01/2005 23:52:23.963606 17x ex0 @0:6 p 192.168.0.17,65509 -> 132.227.74.11,22 PR tcp len 20 1500 -AP OUT OOW
  12/01/2005 23:52:24.981273 16x ex0 @0:6 p 192.168.0.17,65509 -> 132.227.74.11,22 PR tcp len 20 1500 -AP OUT OOW
  12/01/2005 23:52:25.958235 15x ex0 @0:6 p 192.168.0.17,65509 -> 132.227.74.11,22 PR tcp len 20 1500 -AP OUT OOW
  12/01/2005 23:52:26.974624 2x ex0 @0:6 p 192.168.0.17,65509 -> 132.227.74.11,22 PR tcp len 20 1500 -AP OUT OOW

* LPRng's lpr :

  12/01/2005 23:50:23.390725 8x ex0 @0:7 p 192.168.0.17,554 -> 192.168.0.2,515 PR tcp len 20 1500 -A OUT OOW



I believe these problems are related to the following problem reports:

http://mail-index.netbsd.org/current-users/2004/07/23/0007.html
http://mail-index.netbsd.org/netbsd-bugs/2004/11/14/0006.html


And they are surely due to the fact that ipf purposedly ``does not allow
packets flagged with "out-of-window" (oow) to match "keep state" rules'':

http://mail-index.netbsd.org/source-changes/2004/09/06/0006.html



Even though these problems only occur on my home LAN, a few (apparently
legitimate) outgoing out-of-window packets are also blocked when the box
is on my office LAN.  In case it does matter, my home LAN consists of a
router (D-Link DI-604) connected to DSL ``modem'' (freebox), and the
Debian/Linux print server (and this NetBSD laptop from times to times).



#################### tcpdump trace for `cvs update' ####################

23:43:00.280830 192.168.0.17.65511 > 132.227.74.11.22: S 283832717:283832717(0) win 32768 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0> (DF)
23:43:00.319280 132.227.74.11.22 > 192.168.0.17.65511: S 3683402661:3683402661(0) ack 283832718 win 65535 <mss 1460,nop,wscale 1,nop,nop,timestamp 0 0> (DF)
23:43:00.319330 192.168.0.17.65511 > 132.227.74.11.22: . ack 1 win 33580 <nop,nop,timestamp 0 0> (DF)
23:43:00.361954 132.227.74.11.22 > 192.168.0.17.65511: P 1:53(52) ack 1 win 32850 <nop,nop,timestamp 1 0> (DF)
23:43:00.362156 192.168.0.17.65511 > 132.227.74.11.22: P 1:52(51) ack 53 win 33580 <nop,nop,timestamp 0 1> (DF)
23:43:00.407233 132.227.74.11.22 > 192.168.0.17.65511: P 53:597(544) ack 52 win 32850 <nop,nop,timestamp 1 0> (DF)
23:43:00.407273 192.168.0.17.65511 > 132.227.74.11.22: P 52:596(544) ack 597 win 33036 <nop,nop,timestamp 0 1> (DF)
23:43:00.652141 132.227.74.11.22 > 192.168.0.17.65511: . ack 596 win 32850 <nop,nop,timestamp 1 0> (DF)
23:43:00.652168 192.168.0.17.65511 > 132.227.74.11.22: P 596:620(24) ack 597 win 33580 <nop,nop,timestamp 1 1> (DF)
23:43:00.704153 132.227.74.11.22 > 192.168.0.17.65511: P 597:1021(424) ack 620 win 32850 <nop,nop,timestamp 1 1> (DF)
23:43:00.740399 192.168.0.17.65511 > 132.227.74.11.22: P 620:1036(416) ack 1021 win 33580 <nop,nop,timestamp 1 1> (DF)
23:43:00.844513 132.227.74.11.22 > 192.168.0.17.65511: P 1021:1757(736) ack 1036 win 32850 <nop,nop,timestamp 2 1> (DF)
23:43:00.891756 192.168.0.17.65511 > 132.227.74.11.22: P 1036:1052(16) ack 1757 win 33580 <nop,nop,timestamp 1 2> (DF)
23:43:01.122283 132.227.74.11.22 > 192.168.0.17.65511: . ack 1052 win 32850 <nop,nop,timestamp 2 1> (DF)
23:43:01.122326 192.168.0.17.65511 > 132.227.74.11.22: P 1052:1100(48) ack 1757 win 33580 <nop,nop,timestamp 2 2> (DF)
23:43:01.163498 132.227.74.11.22 > 192.168.0.17.65511: P 1757:1805(48) ack 1100 win 32850 <nop,nop,timestamp 2 2> (DF)
23:43:01.163630 192.168.0.17.65511 > 132.227.74.11.22: P 1100:1164(64) ack 1805 win 33580 <nop,nop,timestamp 2 2> (DF)
23:43:01.206081 132.227.74.11.22 > 192.168.0.17.65511: P 1805:1837(32) ack 1164 win 32850 <nop,nop,timestamp 2 2> (DF)
23:43:01.206233 192.168.0.17.65511 > 132.227.74.11.22: P 1164:1228(64) ack 1837 win 33580 <nop,nop,timestamp 2 2> (DF)
23:43:01.245337 132.227.74.11.22 > 192.168.0.17.65511: P 1837:1885(48) ack 1228 win 32850 <nop,nop,timestamp 2 2> (DF)
23:43:01.245445 192.168.0.17.65511 > 132.227.74.11.22: P 1228:1292(64) ack 1885 win 33580 <nop,nop,timestamp 2 2> (DF) [tos 0x8] 
23:43:01.285012 132.227.74.11.22 > 192.168.0.17.65511: P 1885:1933(48) ack 1292 win 32850 <nop,nop,timestamp 2 2> (DF)
23:43:01.285145 192.168.0.17.65511 > 132.227.74.11.22: P 1292:1676(384) ack 1933 win 33580 <nop,nop,timestamp 2 2> (DF) [tos 0x8] 
23:43:01.331676 132.227.74.11.22 > 192.168.0.17.65511: P 1933:2573(640) ack 1676 win 32850 <nop,nop,timestamp 2 2> (DF)
23:43:01.344953 192.168.0.17.65511 > 132.227.74.11.22: P 1676:1724(48) ack 2573 win 33580 <nop,nop,timestamp 2 2> (DF) [tos 0x8] 
23:43:01.351430 192.168.0.17.65511 > 132.227.74.11.22: . 1724:3172(1448) ack 2573 win 33580 <nop,nop,timestamp 2 2> (DF) [tos 0x8] 
23:43:01.351572 192.168.0.17.65511 > 132.227.74.11.22: . 3172:4620(1448) ack 2573 win 33580 <nop,nop,timestamp 2 2> (DF) [tos 0x8] 
23:43:01.351834 192.168.0.17.65511 > 132.227.74.11.22: . 4620:6068(1448) ack 2573 win 33580 <nop,nop,timestamp 2 2> (DF) [tos 0x8] 
23:43:01.351969 192.168.0.17.65511 > 132.227.74.11.22: . 6068:7516(1448) ack 2573 win 33580 <nop,nop,timestamp 2 2> (DF) [tos 0x8] 
23:43:01.352104 192.168.0.17.65511 > 132.227.74.11.22: . 7516:8964(1448) ack 2573 win 33580 <nop,nop,timestamp 2 2> (DF) [tos 0x8] 
23:43:01.367607 192.168.0.17.65511 > 132.227.74.11.22: . 8964:10412(1448) ack 2573 win 33580 <nop,nop,timestamp 2 2> (DF) [tos 0x8] 
23:43:01.367750 192.168.0.17.65511 > 132.227.74.11.22: . 10412:11860(1448) ack 2573 win 33580 <nop,nop,timestamp 2 2> (DF) [tos 0x8] 
23:43:01.367885 192.168.0.17.65511 > 132.227.74.11.22: . 11860:13308(1448) ack 2573 win 33580 <nop,nop,timestamp 2 2> (DF) [tos 0x8] 
23:43:01.368131 192.168.0.17.65511 > 132.227.74.11.22: . 13308:14756(1448) ack 2573 win 33580 <nop,nop,timestamp 2 2> (DF) [tos 0x8] 
23:43:01.368266 192.168.0.17.65511 > 132.227.74.11.22: . 14756:16204(1448) ack 2573 win 33580 <nop,nop,timestamp 2 2> (DF) [tos 0x8] 
23:43:01.368402 192.168.0.17.65511 > 132.227.74.11.22: . 16204:17652(1448) ack 2573 win 33580 <nop,nop,timestamp 2 2> (DF) [tos 0x8] 
23:43:01.383364 192.168.0.17.65511 > 132.227.74.11.22: . 17652:19100(1448) ack 2573 win 33580 <nop,nop,timestamp 2 2> (DF) [tos 0x8] 
23:43:01.412284 132.227.74.11.22 > 192.168.0.17.65511: . ack 3172 win 32126 <nop,nop,timestamp 3 2> (DF)
23:43:01.412401 192.168.0.17.65511 > 132.227.74.11.22: . 19100:20548(1448) ack 2573 win 33580 <nop,nop,timestamp 2 2> (DF) [tos 0x8] 
23:43:01.412435 192.168.0.17.65511 > 132.227.74.11.22: . 20548:21996(1448) ack 2573 win 33580 <nop,nop,timestamp 2 2> (DF) [tos 0x8] 
23:43:01.412571 192.168.0.17.65511 > 132.227.74.11.22: . 21996:23444(1448) ack 2573 win 33580 <nop,nop,timestamp 2 2> (DF) [tos 0x8] 
23:43:01.434204 132.227.74.11.22 > 192.168.0.17.65511: . ack 4620 win 32850 <nop,nop,timestamp 3 2> (DF)
23:43:01.434330 192.168.0.17.65511 > 132.227.74.11.22: . 23444:24892(1448) ack 2573 win 33580 <nop,nop,timestamp 2 2> (DF) [tos 0x8] 
23:43:01.434365 192.168.0.17.65511 > 132.227.74.11.22: . 24892:26340(1448) ack 2573 win 33580 <nop,nop,timestamp 2 2> (DF) [tos 0x8] 
23:43:01.475350 132.227.74.11.22 > 192.168.0.17.65511: . ack 7516 win 32126 <nop,nop,timestamp 3 2> (DF)
23:43:01.475473 192.168.0.17.65511 > 132.227.74.11.22: . 26340:27788(1448) ack 2573 win 33580 <nop,nop,timestamp 2 2> (DF) [tos 0x8] 
23:43:01.475507 192.168.0.17.65511 > 132.227.74.11.22: . 27788:29236(1448) ack 2573 win 33580 <nop,nop,timestamp 2 2> (DF) [tos 0x8] 
23:43:01.475641 192.168.0.17.65511 > 132.227.74.11.22: . 29236:30684(1448) ack 2573 win 33580 <nop,nop,timestamp 2 2> (DF) [tos 0x8] 
23:43:01.496774 132.227.74.11.22 > 192.168.0.17.65511: . ack 8964 win 32850 <nop,nop,timestamp 3 2> (DF)
23:43:01.496896 192.168.0.17.65511 > 132.227.74.11.22: . 30684:32132(1448) ack 2573 win 33580 <nop,nop,timestamp 2 2> (DF) [tos 0x8] 
23:43:01.496933 192.168.0.17.65511 > 132.227.74.11.22: . 32132:33580(1448) ack 2573 win 33580 <nop,nop,timestamp 2 2> (DF) [tos 0x8] 
23:43:01.540388 132.227.74.11.22 > 192.168.0.17.65511: . ack 11860 win 32126 <nop,nop,timestamp 3 2> (DF)
23:43:01.540507 192.168.0.17.65511 > 132.227.74.11.22: . 33580:35028(1448) ack 2573 win 33580 <nop,nop,timestamp 3 2> (DF) [tos 0x8] 
23:43:01.540541 192.168.0.17.65511 > 132.227.74.11.22: . 35028:36476(1448) ack 2573 win 33580 <nop,nop,timestamp 3 2> (DF) [tos 0x8] 
23:43:01.540675 192.168.0.17.65511 > 132.227.74.11.22: . 36476:37924(1448) ack 2573 win 33580 <nop,nop,timestamp 3 2> (DF) [tos 0x8] 
23:43:01.560870 132.227.74.11.22 > 192.168.0.17.65511: . ack 13308 win 32850 <nop,nop,timestamp 3 2> (DF)
23:43:01.560993 192.168.0.17.65511 > 132.227.74.11.22: . 37924:39372(1448) ack 2573 win 33580 <nop,nop,timestamp 3 2> (DF) [tos 0x8] 
23:43:01.561033 192.168.0.17.65511 > 132.227.74.11.22: . 39372:40820(1448) ack 2573 win 33580 <nop,nop,timestamp 3 2> (DF) [tos 0x8] 
23:43:01.602973 132.227.74.11.22 > 192.168.0.17.65511: . ack 16204 win 32126 <nop,nop,timestamp 3 2> (DF)
23:43:01.603097 192.168.0.17.65511 > 132.227.74.11.22: . 40820:42268(1448) ack 2573 win 33580 <nop,nop,timestamp 3 2> (DF) [tos 0x8] 
23:43:01.603147 192.168.0.17.65511 > 132.227.74.11.22: . 42268:43716(1448) ack 2573 win 33580 <nop,nop,timestamp 3 2> (DF) [tos 0x8] 
23:43:01.603149 192.168.0.17.65511 > 132.227.74.11.22: P 43716:45164(1448) ack 2573 win 33580 <nop,nop,timestamp 3 2> (DF) [tos 0x8] 
23:43:01.624478 132.227.74.11.22 > 192.168.0.17.65511: . ack 17652 win 32850 <nop,nop,timestamp 3 2> (DF)
23:43:01.624583 192.168.0.17.65511 > 132.227.74.11.22: . 45164:46612(1448) ack 2573 win 33580 <nop,nop,timestamp 3 2> (DF) [tos 0x8] 
23:43:01.624630 192.168.0.17.65511 > 132.227.74.11.22: . 46612:48060(1448) ack 2573 win 33580 <nop,nop,timestamp 3 2> (DF) [tos 0x8] 
23:43:01.667771 132.227.74.11.22 > 192.168.0.17.65511: . ack 20548 win 32126 <nop,nop,timestamp 3 2> (DF)
23:43:01.667880 192.168.0.17.65511 > 132.227.74.11.22: P 48060:49508(1448) ack 2573 win 33580 <nop,nop,timestamp 3 2> (DF) [tos 0x8] 
23:43:01.667978 192.168.0.17.65511 > 132.227.74.11.22: . 49508:50956(1448) ack 2573 win 33580 <nop,nop,timestamp 3 2> (DF) [tos 0x8] 
23:43:01.668058 192.168.0.17.65511 > 132.227.74.11.22: . 50956:52404(1448) ack 2573 win 33580 <nop,nop,timestamp 3 2> (DF) [tos 0x8] 
23:43:01.688231 132.227.74.11.22 > 192.168.0.17.65511: . ack 21996 win 32850 <nop,nop,timestamp 3 2> (DF)
23:43:01.688263 192.168.0.17.65511 > 132.227.74.11.22: P 52404:53852(1448) ack 2573 win 33580 <nop,nop,timestamp 3 2> (DF) [tos 0x8] 
23:43:01.731376 132.227.74.11.22 > 192.168.0.17.65511: . ack 24892 win 32126 <nop,nop,timestamp 3 2> (DF)
23:43:01.731427 192.168.0.17.65511 > 132.227.74.11.22: . 53852:55300(1448) ack 2573 win 33580 <nop,nop,timestamp 3 2> (DF) [tos 0x8] 
23:43:01.731473 192.168.0.17.65511 > 132.227.74.11.22: . 55300:56748(1448) ack 2573 win 33580 <nop,nop,timestamp 3 2> (DF) [tos 0x8] 
23:43:01.731476 192.168.0.17.65511 > 132.227.74.11.22: P 56748:58196(1448) ack 2573 win 33580 <nop,nop,timestamp 3 2> (DF) [tos 0x8] 
23:43:01.751611 132.227.74.11.22 > 192.168.0.17.65511: . ack 26340 win 32850 <nop,nop,timestamp 3 2> (DF)
23:43:01.793929 132.227.74.11.22 > 192.168.0.17.65511: . ack 29236 win 32126 <nop,nop,timestamp 3 2> (DF)
23:43:01.793979 192.168.0.17.65511 > 132.227.74.11.22: . 58196:59644(1448) ack 2573 win 33580 <nop,nop,timestamp 3 2> (DF) [tos 0x8] 
23:43:01.794025 192.168.0.17.65511 > 132.227.74.11.22: . 59644:61092(1448) ack 2573 win 33580 <nop,nop,timestamp 3 2> (DF) [tos 0x8] 
23:43:01.794027 192.168.0.17.65511 > 132.227.74.11.22: P 61092:62540(1448) ack 2573 win 33580 <nop,nop,timestamp 3 2> (DF) [tos 0x8] 
23:43:01.815413 132.227.74.11.22 > 192.168.0.17.65511: . ack 30684 win 32850 <nop,nop,timestamp 3 2> (DF)
23:43:01.858014 132.227.74.11.22 > 192.168.0.17.65511: . ack 33580 win 32126 <nop,nop,timestamp 4 2> (DF)
23:43:01.858063 192.168.0.17.65511 > 132.227.74.11.22: . 62540:63988(1448) ack 2573 win 33580 <nop,nop,timestamp 3 2> (DF) [tos 0x8] 
23:43:01.858111 192.168.0.17.65511 > 132.227.74.11.22: . 63988:65436(1448) ack 2573 win 33580 <nop,nop,timestamp 3 2> (DF) [tos 0x8] 
23:43:01.879984 132.227.74.11.22 > 192.168.0.17.65511: . ack 35028 win 32850 <nop,nop,timestamp 4 3> (DF)
23:43:01.921566 132.227.74.11.22 > 192.168.0.17.65511: . ack 37924 win 32126 <nop,nop,timestamp 4 3> (DF)
23:43:01.943245 132.227.74.11.22 > 192.168.0.17.65511: . ack 39372 win 32850 <nop,nop,timestamp 4 3> (DF)
23:43:01.985171 132.227.74.11.22 > 192.168.0.17.65511: . ack 42268 win 32126 <nop,nop,timestamp 4 3> (DF)
23:43:02.006564 132.227.74.11.22 > 192.168.0.17.65511: . ack 43716 win 32850 <nop,nop,timestamp 4 3> (DF)
23:43:02.048467 132.227.74.11.22 > 192.168.0.17.65511: . ack 46612 win 32126 <nop,nop,timestamp 4 3> (DF)
23:43:02.070146 132.227.74.11.22 > 192.168.0.17.65511: . ack 48060 win 32850 <nop,nop,timestamp 4 3> (DF)
23:43:02.112569 132.227.74.11.22 > 192.168.0.17.65511: . ack 50956 win 32126 <nop,nop,timestamp 4 3> (DF)
23:43:02.133691 132.227.74.11.22 > 192.168.0.17.65511: . ack 52404 win 32850 <nop,nop,timestamp 4 3> (DF)
23:43:02.176342 132.227.74.11.22 > 192.168.0.17.65511: . ack 55300 win 32126 <nop,nop,timestamp 4 3> (DF)
23:43:02.196800 132.227.74.11.22 > 192.168.0.17.65511: . ack 56748 win 32850 <nop,nop,timestamp 4 3> (DF)
23:43:02.238901 132.227.74.11.22 > 192.168.0.17.65511: . ack 59644 win 32126 <nop,nop,timestamp 4 3> (DF)
23:43:02.260891 132.227.74.11.22 > 192.168.0.17.65511: . ack 61092 win 32850 <nop,nop,timestamp 4 3> (DF)
23:43:02.303243 132.227.74.11.22 > 192.168.0.17.65511: . ack 63988 win 32126 <nop,nop,timestamp 4 3> (DF)
23:43:02.324195 132.227.74.11.22 > 192.168.0.17.65511: . ack 65436 win 32850 <nop,nop,timestamp 4 3> (DF)
23:43:04.315473 192.168.0.17.65511 > 132.227.74.11.22: FP 65436:66884(1448) ack 2573 win 33580 <nop,nop,timestamp 8 2> (DF) [tos 0x8] 
23:43:04.376518 132.227.74.11.22 > 192.168.0.17.65511: . ack 66885 win 32126 <nop,nop,timestamp 9 8> (DF)
23:43:04.377193 132.227.74.11.22 > 192.168.0.17.65511: F 2573:2573(0) ack 66885 win 32126 <nop,nop,timestamp 9 8> (DF)
23:43:04.377223 192.168.0.17.65511 > 132.227.74.11.22: . ack 2574 win 33579 <nop,nop,timestamp 8 9> (DF) [tos 0x8] 



################# tcpdump trace for `/usr/pkg/bin/lpr' #################

23:47:10.024647 192.168.0.17.760 > 192.168.0.2.515: S 96016672:96016672(0) win 32768 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0> (DF)
23:47:10.024808 192.168.0.2.515 > 192.168.0.17.760: S 2721792163:2721792163(0) ack 96016673 win 5840 <mss 1460,nop,wscale 2> (DF)
23:47:10.024864 192.168.0.17.760 > 192.168.0.2.515: . ack 1 win 33580 (DF)
23:47:10.024953 192.168.0.17.760 > 192.168.0.2.515: P 1:11(10) ack 1 win 33580 (DF)
23:47:10.025046 192.168.0.2.515 > 192.168.0.17.760: . ack 11 win 1460 (DF)
23:47:10.026175 192.168.0.2.515 > 192.168.0.17.760: P 1:2(1) ack 11 win 1460 (DF)
23:47:10.026229 192.168.0.17.760 > 192.168.0.2.515: P 11:32(21) ack 2 win 33580 (DF)
23:47:10.026738 192.168.0.2.515 > 192.168.0.17.760: P 2:3(1) ack 32 win 1460 (DF)
23:47:10.026777 192.168.0.17.760 > 192.168.0.2.515: P 32:176(144) ack 3 win 33580 (DF)
23:47:10.027211 192.168.0.2.515 > 192.168.0.17.760: P 3:4(1) ack 176 win 1728 (DF)
23:47:10.027300 192.168.0.17.760 > 192.168.0.2.515: P 176:199(23) ack 4 win 33580 (DF)
23:47:10.027658 192.168.0.2.515 > 192.168.0.17.760: P 4:5(1) ack 199 win 1728 (DF)
23:47:10.027778 192.168.0.17.760 > 192.168.0.2.515: . 199:1659(1460) ack 5 win 33580 (DF)
23:47:10.027826 192.168.0.17.760 > 192.168.0.2.515: . 1659:3119(1460) ack 5 win 33580 (DF)
23:47:10.027828 192.168.0.17.760 > 192.168.0.2.515: . 3119:4579(1460) ack 5 win 33580 (DF)
23:47:10.028325 192.168.0.2.515 > 192.168.0.17.760: . ack 3119 win 3188 (DF)
23:47:10.068371 192.168.0.2.515 > 192.168.0.17.760: . ack 4579 win 3918 (DF)
23:47:11.068432 192.168.0.17.760 > 192.168.0.2.515: . 4579:6039(1460) ack 5 win 33580 (DF)
23:47:11.068951 192.168.0.2.515 > 192.168.0.17.760: . ack 6039 win 4648 (DF)
23:47:11.068988 192.168.0.17.760 > 192.168.0.2.515: . 6039:7499(1460) ack 5 win 33580 (DF)
23:47:11.069033 192.168.0.17.760 > 192.168.0.2.515: . 7499:8959(1460) ack 5 win 33580 (DF)
23:47:11.069393 192.168.0.2.515 > 192.168.0.17.760: . ack 7499 win 5378 (DF)
23:47:11.069419 192.168.0.17.760 > 192.168.0.2.515: . 8959:10419(1460) ack 5 win 33580 (DF)
23:47:11.069450 192.168.0.17.760 > 192.168.0.2.515: FP 10419:10439(20) ack 5 win 33580 (DF)
23:47:11.069522 192.168.0.2.515 > 192.168.0.17.760: . ack 8959 win 6108 (DF)
23:47:11.069818 192.168.0.2.515 > 192.168.0.17.760: . ack 10419 win 6838 (DF)
23:47:11.069987 192.168.0.2.515 > 192.168.0.17.760: P 5:69(64) ack 10440 win 6838 (DF)
23:47:11.070016 192.168.0.2.515 > 192.168.0.17.760: F 69:69(0) ack 10440 win 6838 (DF)
23:47:11.070034 192.168.0.17.760 > 192.168.0.2.515: . ack 69 win 33516 (DF)
23:47:11.070064 192.168.0.17.760 > 192.168.0.2.515: . ack 70 win 33516 (DF)
23:47:21.080827 192.168.0.17.761 > 192.168.0.2.515: S 497990363:497990363(0) win 32768 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0> (DF)
23:47:21.080983 192.168.0.2.515 > 192.168.0.17.761: S 2730877312:2730877312(0) ack 497990364 win 5840 <mss 1460,nop,wscale 2> (DF)
23:47:21.081033 192.168.0.17.761 > 192.168.0.2.515: . ack 1 win 33580 (DF)
23:47:21.081101 192.168.0.17.761 > 192.168.0.2.515: P 1:11(10) ack 1 win 33580 (DF)
23:47:21.081192 192.168.0.2.515 > 192.168.0.17.761: . ack 11 win 1460 (DF)
23:47:21.082344 192.168.0.2.515 > 192.168.0.17.761: P 1:2(1) ack 11 win 1460 (DF)
23:47:21.082397 192.168.0.17.761 > 192.168.0.2.515: P 11:32(21) ack 2 win 33580 (DF)
23:47:21.082884 192.168.0.2.515 > 192.168.0.17.761: P 2:3(1) ack 32 win 1460 (DF)
23:47:21.082922 192.168.0.17.761 > 192.168.0.2.515: P 32:176(144) ack 3 win 33580 (DF)
23:47:21.083370 192.168.0.2.515 > 192.168.0.17.761: P 3:4(1) ack 176 win 1728 (DF)
23:47:21.083489 192.168.0.17.761 > 192.168.0.2.515: P 176:199(23) ack 4 win 33580 (DF)
23:47:21.083827 192.168.0.2.515 > 192.168.0.17.761: P 4:5(1) ack 199 win 1728 (DF)
23:47:21.083951 192.168.0.17.761 > 192.168.0.2.515: . 199:1659(1460) ack 5 win 33580 (DF)
23:47:21.083998 192.168.0.17.761 > 192.168.0.2.515: . 1659:3119(1460) ack 5 win 33580 (DF)
23:47:21.084001 192.168.0.17.761 > 192.168.0.2.515: . 3119:4579(1460) ack 5 win 33580 (DF)
23:47:21.084498 192.168.0.2.515 > 192.168.0.17.761: . ack 3119 win 3188 (DF)
23:47:21.124087 192.168.0.2.515 > 192.168.0.17.761: . ack 4579 win 3918 (DF)
23:47:22.120790 192.168.0.17.761 > 192.168.0.2.515: . 4579:6039(1460) ack 5 win 33580 (DF)
23:47:22.121308 192.168.0.2.515 > 192.168.0.17.761: . ack 6039 win 4648 (DF)
23:47:22.121339 192.168.0.17.761 > 192.168.0.2.515: . 6039:7499(1460) ack 5 win 33580 (DF)
23:47:22.121384 192.168.0.17.761 > 192.168.0.2.515: . 7499:8959(1460) ack 5 win 33580 (DF)
23:47:22.121743 192.168.0.2.515 > 192.168.0.17.761: . ack 7499 win 5378 (DF)
23:47:22.121769 192.168.0.17.761 > 192.168.0.2.515: . 8959:10419(1460) ack 5 win 33580 (DF)
23:47:22.121801 192.168.0.17.761 > 192.168.0.2.515: FP 10419:10439(20) ack 5 win 33580 (DF)
23:47:22.121887 192.168.0.2.515 > 192.168.0.17.761: . ack 8959 win 6108 (DF)
23:47:22.122170 192.168.0.2.515 > 192.168.0.17.761: . ack 10419 win 6838 (DF)
23:47:22.122336 192.168.0.2.515 > 192.168.0.17.761: P 5:69(64) ack 10440 win 6838 (DF)
23:47:22.122365 192.168.0.2.515 > 192.168.0.17.761: F 69:69(0) ack 10440 win 6838 (DF)
23:47:22.122380 192.168.0.17.761 > 192.168.0.2.515: . ack 69 win 33516 (DF)
23:47:22.122410 192.168.0.17.761 > 192.168.0.2.515: . ack 70 win 33516 (DF)
23:47:32.133294 192.168.0.17.762 > 192.168.0.2.515: S 885814328:885814328(0) win 32768 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0> (DF)
23:47:32.133454 192.168.0.2.515 > 192.168.0.17.762: S 2752706627:2752706627(0) ack 885814329 win 5840 <mss 1460,nop,wscale 2> (DF)
23:47:32.133514 192.168.0.17.762 > 192.168.0.2.515: . ack 1 win 33580 (DF)
23:47:32.133596 192.168.0.17.762 > 192.168.0.2.515: P 1:11(10) ack 1 win 33580 (DF)
23:47:32.133688 192.168.0.2.515 > 192.168.0.17.762: . ack 11 win 1460 (DF)
23:47:32.134895 192.168.0.2.515 > 192.168.0.17.762: P 1:2(1) ack 11 win 1460 (DF)
23:47:32.134951 192.168.0.17.762 > 192.168.0.2.515: P 11:32(21) ack 2 win 33580 (DF)
23:47:32.135430 192.168.0.2.515 > 192.168.0.17.762: P 2:3(1) ack 32 win 1460 (DF)
23:47:32.135470 192.168.0.17.762 > 192.168.0.2.515: P 32:176(144) ack 3 win 33580 (DF)
23:47:32.135954 192.168.0.2.515 > 192.168.0.17.762: P 3:4(1) ack 176 win 1728 (DF)
23:47:32.136103 192.168.0.17.762 > 192.168.0.2.515: P 176:199(23) ack 4 win 33580 (DF)
23:47:32.136447 192.168.0.2.515 > 192.168.0.17.762: P 4:5(1) ack 199 win 1728 (DF)
23:47:32.136601 192.168.0.17.762 > 192.168.0.2.515: . 199:1659(1460) ack 5 win 33580 (DF)
23:47:32.136652 192.168.0.17.762 > 192.168.0.2.515: . 1659:3119(1460) ack 5 win 33580 (DF)
23:47:32.136654 192.168.0.17.762 > 192.168.0.2.515: . 3119:4579(1460) ack 5 win 33580 (DF)
23:47:32.137150 192.168.0.2.515 > 192.168.0.17.762: . ack 3119 win 3188 (DF)
23:47:32.176763 192.168.0.2.515 > 192.168.0.17.762: . ack 4579 win 3918 (DF)
23:47:33.173165 192.168.0.17.762 > 192.168.0.2.515: . 4579:6039(1460) ack 5 win 33580 (DF)
23:47:33.173698 192.168.0.2.515 > 192.168.0.17.762: . ack 6039 win 4648 (DF)
23:47:33.173730 192.168.0.17.762 > 192.168.0.2.515: . 6039:7499(1460) ack 5 win 33580 (DF)
23:47:33.173775 192.168.0.17.762 > 192.168.0.2.515: . 7499:8959(1460) ack 5 win 33580 (DF)
23:47:33.174134 192.168.0.2.515 > 192.168.0.17.762: . ack 7499 win 5378 (DF)
23:47:33.174160 192.168.0.17.762 > 192.168.0.2.515: . 8959:10419(1460) ack 5 win 33580 (DF)
23:47:33.174191 192.168.0.17.762 > 192.168.0.2.515: FP 10419:10439(20) ack 5 win 33580 (DF)
23:47:33.174263 192.168.0.2.515 > 192.168.0.17.762: . ack 8959 win 6108 (DF)
23:47:33.174573 192.168.0.2.515 > 192.168.0.17.762: . ack 10419 win 6838 (DF)
23:47:33.174737 192.168.0.2.515 > 192.168.0.17.762: P 5:69(64) ack 10440 win 6838 (DF)
23:47:33.174765 192.168.0.2.515 > 192.168.0.17.762: F 69:69(0) ack 10440 win 6838 (DF)
23:47:33.174784 192.168.0.17.762 > 192.168.0.2.515: . ack 69 win 33516 (DF)
23:47:33.174814 192.168.0.17.762 > 192.168.0.2.515: . ack 70 win 33516 (DF)


>How-To-Repeat:
	In my case, I can reliably repeat these problems on my home LAN,
        but they do not occur on my working place's LAN.
>Fix:
	To work around this problem, out-of-window packets can be forced
        to go through the filter using lines to match OOW packets
        (``with oow'') in /etc/ipf.conf (see above).  But then, such
        packets are passed by the filter regardless of state information.