no-df and cksum errors in tcpdump
Derkjan de Haan
derkjan at haanjdj.demon.nl
Tue May 31 04:56:18 PDT 2005
All,
I am using FreeBSD-STABLE on my home server/firewall. Yesterday I played a
bit with the no-df scrub option. However, this yields errors with tcpdump
in protocol decoding mode:
tcpdump -n -e -ttt -v -r /var/log/pflog
A couple of lines from the log:
088889 rule 31/0(match): pass in on em1: IP (tos 0x10, ttl 58, id 21397,
offset 0, flags [none], length: 60, bad cksum 7186 (->b186)!)
195.245.244.241.40947 > 192.168.2.1.6346: S [tcp sum ok]
855340762:855340762(0) win 5840 <mss1460,sackOK,timestamp 1191076828
0,nop,wscale 4>
095894 rule 31/0(match): pass in on em1: IP (tos 0x10, ttl 60, id 18568,
offset 0, flags [none], length: 60, bad cksum bf87 (->ff87)!)
62.241.53.2.46125 > 192.168.2.1.6346: S [tcp sum ok]
3675198613:3675198613(0) win 5840 <mss 1460,sackOK,timestamp 4006419616
0,nop,wscale 2>
882863 rule 0/0(match): block in on em1: IP (tos 0x0, ttl 123, id 55684,
offset 0, flags [none], length: 48, bad cksum e3b2 (->23b3)!)
82.161.151.113.4988 > 82.161.5.221.445: S [tcp sum ok]
1263353290:1263353290(0) win 64240 <mss 1460,nop,nop,sackOK>
The relevant line from pf config (full config available on request):
scrub on $ext_if all no-df random-id reassemble tcp
The strange thing is that as soon as I remove the no-df from my pf
configuration, the 'bad cksum' disappears. Has anybody seen this before ?
Can it be that pf doesn't recompute the checksum after altering the packet
?
regards,
Derkjan
More information about the freebsd-pf
mailing list