Lot of packets to files.atx.pfmechanics.com ?



  • Hi,

    Since I upgrade to v2.1.5 (amd64) I can see a lot of packets with TCP retransmission from pfSense to files.atx.pfmechanics.com port 80.

    Which service in pfSense can send this packets ? I have a proxy configured for packages and update, but this packets are not send to proxy… that's why they continually re-issued with SYN and never ACK.

    A wireshark capture is present in attachement.
    raw log :

     tcpdump -i em0 -s0 -v 'host 208.123.73.81'
    tcpdump: listening on em0, link-type EN10MB (Ethernet), capture size 65535 bytes
    16:51:21.676002 IP (tos 0x0, ttl 64, id 42766, offset 0, flags [DF], proto TCP (6), length 60)
        192.168.0.254.6420 > files.atx.pfmechanics.com.http: Flags [s], cksum 0xcb1b (correct), seq 1191992875, win 65228, options [mss 1460,nop,wscale 7,sackOK,TS val 620692865 ecr 0], length 0
    16:51:24.643451 IP (tos 0x0, ttl 64, id 26393, offset 0, flags [DF], proto TCP (6), length 60)
        192.168.0.254.6420 > files.atx.pfmechanics.com.http: Flags [s], cksum 0xbf63 (correct), seq 1191992875, win 65228, options [mss 1460,nop,wscale 7,sackOK,TS val 620695865 ecr 0], length 0
    16:51:27.810030 IP (tos 0x0, ttl 64, id 52564, offset 0, flags [DF], proto TCP (6), length 60)
        192.168.0.254.6420 > files.atx.pfmechanics.com.http: Flags [s], cksum 0xb2e3 (correct), seq 1191992875, win 65228, options [mss 1460,nop,wscale 7,sackOK,TS val 620699065 ecr 0], length 0
    16:51:30.975361 IP (tos 0x0, ttl 64, id 416, offset 0, flags [DF], proto TCP (6), length 48)
        192.168.0.254.6420 > files.atx.pfmechanics.com.http: Flags [s], cksum 0x31bc (correct), seq 1191992875, win 65228, options [mss 1460,sackOK,eol], length 0
    16:51:34.141409 IP (tos 0x0, ttl 64, id 25897, offset 0, flags [DF], proto TCP (6), length 48)
        192.168.0.254.6420 > files.atx.pfmechanics.com.http: Flags [s], cksum 0x31bc (correct), seq 1191992875, win 65228, options [mss 1460,sackOK,eol], length 0
    16:51:37.308573 IP (tos 0x0, ttl 64, id 22012, offset 0, flags [DF], proto TCP (6), length 48)
        192.168.0.254.6420 > files.atx.pfmechanics.com.http: Flags [s], cksum 0x31bc (correct), seq 1191992875, win 65228, options [mss 1460,sackOK,eol], length 0
    16:51:43.443565 IP (tos 0x0, ttl 64, id 15998, offset 0, flags [DF], proto TCP (6), length 48)
        192.168.0.254.6420 > files.atx.pfmechanics.com.http: Flags [s], cksum 0x31bc (correct), seq 1191992875, win 65228, options [mss 1460,sackOK,eol], length 0
    
    Thank you for your help :)
    
    ![pfpackets.png](/public/_imported_attachments_/1/pfpackets.png)
    ![pfpackets.png_thumb](/public/_imported_attachments_/1/pfpackets.png_thumb)[/s][/s][/s][/s][/s][/s][/s]
    

  • Rebel Alliance Developer Netgate

    Several things can come from there, mostly packages, updates, and bogons.



  • Probably bogons, pre-2.2 the bogon fetch doesn't use the configured proxy where packages and updates all should. Check your system logs, if it's bogons that'll be logging there.



  • Sorry, I can't understand the relation with bogon (bad IP http://www.team-cymru.org/Services/Bogons/) and this traffic ?

    I have to precise with 2.0.x the issue was not present.

    (I'll check my syslog asap)



  • I think they're saying that the traffic you're seeing is a result of pfSense trying to update its Bogon list.



  • @KOM:

    I think they're saying that the traffic you're seeing is a result of pfSense trying to update its Bogon list.

    Yes, that.

    Every version would behave that way (up until 2.2, which should use the proxy for everything now), though I think 2.1x versions are more persistent about getting that update than 2.0x systems.



  • OK I understand, thank you.

    What is the solution ? block this traffic ? can I block only bogon and not packages network flow ?
    or maybe it's possible to configure something to use proxy for updating bogon list (setenv…) ?



  • Ignore the noise until 2.2, or disable bogon updates under System>Advanced until 2.2 (but make sure to re-enable it later if you're using block bogons)



  • In System > advanced > Firewall/NAT I can only choose the frenquency of update : Monthly, Daily, Weekly but it's not possible to disable.

    If I kill :

    
    /usr/bin/fetch -a -T 30 -q -o /tmp/bogonsv6 http://files.pfsense.org/lists/fullbogons-ipv6.txt
    /usr/bin/fetch -a -T 30 -q -o /tmp/bogons http://files.pfsense.org/lists/fullbogons-ipv4.txt
    
    

    No traffic again, good news !

    The solution is to edit the script /etc/rc.update_bogons.sh and add your proxy :

    export http_proxy='http://yourproxy:port'
    

    rc.update_bogons.sh is execute with /etc/crontab (modify with web interface only) :

    1       3       1       *       *       root    /usr/bin/nice -n20 /etc/rc.update_bogons.sh
    


  • Yeah that proxy change will work around it in the mean time until 2.2. Once you upgrade to 2.2, that change will get overwritten, but it'll work automatically at that point.



  • Great, so… issue fixed :)

    Did you know when 2.2 release will be available ?