rdr rule does not work (bad hdr length)
Jeremy Chadwick
koitsu at FreeBSD.org
Tue Nov 4 01:38:08 PST 2008
On Tue, Nov 04, 2008 at 10:15:26AM +0100, Matthias Kellermann wrote:
> Hi list,
>
> I'm trying to set up a simple rdr rule in pf (7.0-RELEASE-p5).
>
> I have two hosts - host a (192.168.0.250) and host b (192.168.0.10) - in
> a local network and want to forward one port from host a to host b.
>
> host a is the pf host. This is the rule to redirect traffic from host a
> to b:
>
> rdr proto tcp from any to 192.168.0.250 port 23 -> 192.168.0.10
> pass log (all) proto tcp from any to 192.168.0.10 port 23 synproxy state
>
> If I try to get a telnet connection from my client 192.168.0.51 the
> connection gets stuck and nothing happens. This is the output of tcpdump
> on the pflog0 interface:
>
> # tcpdump -netttvvi pflog0
> 000000 rule 0/0(match): pass in on sis0: (tos 0x10, ttl 64, id 26668,
> offset 0, flags [DF], proto TCP (6), length 60) 192.168.0.51.54460 >
> 192.168.0.10.23: [|tcp]
> 000266 rule 0/0(match): pass out on sis0: (tos 0x10, ttl 64, id 25527,
> offset 0, flags [DF], proto TCP (6), length 44) 192.168.0.51.54460 >
> 192.168.0.10.23: tcp 24 [bad hdr length 0 - too short, < 20]
>
> Anybody has an idea whats wrong here?
This is not a pf problem. tcpdump's snaplen defaults to 56 bytes, which
is too small when reading from pflog. Use the -s flag to increase the
snaplen to 256 bytes, for example.
--
| Jeremy Chadwick jdc at parodius.com |
| Parodius Networking http://www.parodius.com/ |
| UNIX Systems Administrator Mountain View, CA, USA |
| Making life hard for others since 1977. PGP: 4BD6C0CB |
More information about the freebsd-pf
mailing list