rdr rule does not work (bad hdr length)
Jeremy Chadwick
koitsu at FreeBSD.org
Tue Nov 4 02:25:38 PST 2008
On Tue, Nov 04, 2008 at 11:23:08AM +0100, Matthias Kellermann wrote:
> Jeremy Chadwick wrote:
> > Try changing "synproxy state" to "keep state", and see if you have the
> > same problem. Note that you may need to reset your state table after
> > changing this rule (see pfctl -k).
>
> Ok, I tried that. Here is the result:
>
> # tcpdump -s 256 -netttvvi pflog0
> 000000 rule 0/0(match): pass in on sis0: (tos 0x10, ttl 64, id 35529,
> offset 0, flags [DF], proto TCP (6), length 60) 192.168.0.51.38439 >
> 192.168.0.10.23: S, cksum 0x5fae (correct), 3300997001:3300997001(0) win
> 5840 <mss 1460,sackOK,timestamp 2866496 0,nop,wscale 6>
> 2. 998190 rule 0/0(match): pass in on sis0: (tos 0x10, ttl 64, id 35530,
> offset 0, flags [DF], proto TCP (6), length 60) 192.168.0.51.38439 >
> 192.168.0.10.23: S, cksum 0x5cc0 (correct), 3300997001:3300997001(0) win
> 5840 <mss 1460,sackOK,timestamp 2867246 0,nop,wscale 6>
> 6. 000214 rule 0/0(match): pass in on sis0: (tos 0x10, ttl 64, id 35531,
> offset 0, flags [DF], proto TCP (6), length 60) 192.168.0.51.38439 >
> 192.168.0.10.23: S, cksum 0x56e4 (correct), 3300997001:3300997001(0) win
> 5840 <mss 1460,sackOK,timestamp 2868746 0,nop,wscale 6>
> 12. 000425 rule 0/0(match): pass in on sis0: (tos 0x10, ttl 64, id
> 35532, offset 0, flags [DF], proto TCP (6), length 60)
> 192.168.0.51.38439 > 192.168.0.10.23: S, cksum 0x4b2c (correct),
> 3300997001:3300997001(0) win 5840 <mss 1460,sackOK,timestamp 2871746
> 0,nop,wscale 6
>
> If I stop the connection attempts from the client the tcpdump output
> stops too.
Others will have to assist.
--
| Jeremy Chadwick jdc at parodius.com |
| Parodius Networking http://www.parodius.com/ |
| UNIX Systems Administrator Mountain View, CA, USA |
| Making life hard for others since 1977. PGP: 4BD6C0CB |
More information about the freebsd-pf
mailing list