List Info

Thread: FreeBSD 7.0 and pf
FreeBSD 7.0 and pf
country flaguser name
Germany		 2008-03-19 01:56:48 
Hi all,

im using freebsd 7.0  + gif interfaces + racoon + pf to
filter stuff on
my box. After upgrading to freebsd 7.0 I see some strange
behavior. I
see packets get dropped because of bad hdr length. The
problems only
seems to happen on traffic between the local nets and nets
routed via
ipsec. Here is a tcpdump snipped:

block in on em5: 192.168.175.4.1107 > 192.168.116.6.22: 
tcp 544 [bad
hdr length 12 - too short, < 20]

gif interface:
gif5: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST>
metric 0 mtu 1402
        tunnel inet 213.157.17.67 --> 213.23.198.131
        inet 192.168.116.1 --> 192.168.175.1 netmask
0xffffff00 


Any help is welcome.

Thx
Norman



_______________________________________________
freebsd-questionsfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-que
stions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribefreebsd.org"
Re: FreeBSD 7.0 and pf
user name
 2008-03-19 03:34:28 
On 07:56:48 Mar 19, Norman Maurer wrote:
> Hi all,
> 
> im using freebsd 7.0  + gif interfaces + racoon + pf to
filter stuff on
> my box. After upgrading to freebsd 7.0 I see some
strange behavior. I
> see packets get dropped because of bad hdr length. The
problems only
> seems to happen on traffic between the local nets and
nets routed via
> ipsec. Here is a tcpdump snipped:
> 
> block in on em5: 192.168.175.4.1107 >
192.168.116.6.22:  tcp 544 [bad
> hdr length 12 - too short, < 20]
> 
> gif interface:
> gif5:
flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0
mtu 1402
>         tunnel inet 213.157.17.67 -->
213.23.198.131
>         inet 192.168.116.1 --> 192.168.175.1 netmask
0xffffff00 
> 
> 
> Any help is welcome.

A TCP header can never be less than 20 bytes.

And 12 is odd since all headers are a multiple of 4 bytes
(word
boundary).

Check your MTU of the PPPoE/PPPoA/Ethernet/WiFi or whatever
datalink
layer. I bet there is a problem there.

Best,
Girish

-- 
"unix soi qui mal y pense"

UNIX to him who evil thinks

+-----------------------------------------------------------
-------+
| GnuPG key  : 0xC7BBF207  |  http://wwwkeys.nl.pgp.net            |
| Fingerprint: 2AFF C264 20CE C80C DDFF  CC15 AD3E F190 C7BB
F207  |
+-----------------------------------------------------------
-------+
Re: FreeBSD 7.0 and pf
country flaguser name
Germany		 2008-03-19 03:40:02 
Am Mittwoch, den 19.03.2008, 14:04 +0530 schrieb Girish
Venkatachalam:
> On 07:56:48 Mar 19, Norman Maurer wrote:
> > Hi all,
> > 
> > im using freebsd 7.0  + gif interfaces + racoon +
pf to filter stuff on
> > my box. After upgrading to freebsd 7.0 I see some
strange behavior. I
> > see packets get dropped because of bad hdr length.
The problems only
> > seems to happen on traffic between the local nets
and nets routed via
> > ipsec. Here is a tcpdump snipped:
> > 
> > block in on em5: 192.168.175.4.1107 >
192.168.116.6.22:  tcp 544 [bad
> > hdr length 12 - too short, < 20]
> > 
> > gif interface:
> > gif5:
flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0
mtu 1402
> >         tunnel inet 213.157.17.67 -->
213.23.198.131
> >         inet 192.168.116.1 --> 192.168.175.1
netmask 0xffffff00 
> > 
> > 
> > Any help is welcome.
> 
> A TCP header can never be less than 20 bytes.
> 
> And 12 is odd since all headers are a multiple of 4
bytes (word
> boundary).
> 
> Check your MTU of the PPPoE/PPPoA/Ethernet/WiFi or
whatever datalink
> layer. I bet there is a problem there.
> 
> Best,
> Girish
> 
Maybe the problem is the mtu of the gif interface ( 1402 )
?
I have a 4 mbit broadband connection ( no dsl ).

bye
Norman


_______________________________________________
freebsd-questionsfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-que
stions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribefreebsd.org"
Re: FreeBSD 7.0 and pf
country flaguser name
Germany		 2008-03-19 04:30:38 
Am Mittwoch, den 19.03.2008, 09:40 +0100 schrieb Norman
Maurer:
> Am Mittwoch, den 19.03.2008, 14:04 +0530 schrieb Girish
Venkatachalam:
> > On 07:56:48 Mar 19, Norman Maurer wrote:
> > > Hi all,
> > > 
> > > im using freebsd 7.0  + gif interfaces +
racoon + pf to filter stuff on
> > > my box. After upgrading to freebsd 7.0 I see
some strange behavior. I
> > > see packets get dropped because of bad hdr
length. The problems only
> > > seems to happen on traffic between the local
nets and nets routed via
> > > ipsec. Here is a tcpdump snipped:
> > > 
> > > block in on em5: 192.168.175.4.1107 >
192.168.116.6.22:  tcp 544 [bad
> > > hdr length 12 - too short, < 20]
> > > 
> > > gif interface:
> > > gif5:
flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0
mtu 1402
> > >         tunnel inet 213.157.17.67 -->
213.23.198.131
> > >         inet 192.168.116.1 -->
192.168.175.1 netmask 0xffffff00 
> > > 
> > > 
> > > Any help is welcome.
> > 
> > A TCP header can never be less than 20 bytes.
> > 
> > And 12 is odd since all headers are a multiple of
4 bytes (word
> > boundary).
> > 
> > Check your MTU of the PPPoE/PPPoA/Ethernet/WiFi or
whatever datalink
> > layer. I bet there is a problem there.
> > 
> > Best,
> > Girish
> > 
> Maybe the problem is the mtu of the gif interface (
1402 ) ?
> I have a 4 mbit broadband connection ( no dsl ).
> 
> bye
> Norman

btw, if i remove pf all works fine :-/

Cheers,
Norman


_______________________________________________
freebsd-questionsfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-que
stions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribefreebsd.org"
Re: FreeBSD 7.0 and pf
user name
 2008-03-19 05:48:11 
On 10:30:38 Mar 19, Norman Maurer wrote:
> 
> btw, if i remove pf all works fine :-/
> 


Are you using any scrub rule?

Comment those out and try.

-Girish

-- 
"unix soi qui mal y pense"

UNIX to him who evil thinks

+-----------------------------------------------------------
-------+
| GnuPG key  : 0xC7BBF207  |  http://wwwkeys.nl.pgp.net            |
| Fingerprint: 2AFF C264 20CE C80C DDFF  CC15 AD3E F190 C7BB
F207  |
+-----------------------------------------------------------
-------+
Re: FreeBSD 7.0 and pf
country flaguser name
Germany		 2008-03-19 05:53:13 
Am Mittwoch, den 19.03.2008, 16:18 +0530 schrieb Girish
Venkatachalam:
> On 10:30:38 Mar 19, Norman Maurer wrote:
> > 
> > btw, if i remove pf all works fine :-/
> > 
> 
> 
> Are you using any scrub rule?
> 
> Comment those out and try.
> 
> -Girish
> 

I removed the "options IPSEC_FILTERTUNNEL" from
kernel config,
recompiled , installed kernel and all seems to work fine
again ..

Strange...

bye
Norman


_______________________________________________
freebsd-questionsfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-que
stions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribefreebsd.org"
[1-6]

about | contact  Other archives ( Real Estate discussion Medical topics )