From owner-freebsd-questions@FreeBSD.ORG  Sat Dec 22 01:24:07 2007
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 5498E16A418
	for <freebsd-questions@freebsd.org>;
	Sat, 22 Dec 2007 01:24:07 +0000 (UTC)
	(envelope-from phatbuckett@gmail.com)
Received: from wa-out-1112.google.com (wa-out-1112.google.com [209.85.146.181])
	by mx1.freebsd.org (Postfix) with ESMTP id 18EE613C4F4
	for <freebsd-questions@freebsd.org>;
	Sat, 22 Dec 2007 01:24:07 +0000 (UTC)
	(envelope-from phatbuckett@gmail.com)
Received: by wa-out-1112.google.com with SMTP id k17so903580waf.3
	for <freebsd-questions@freebsd.org>;
	Fri, 21 Dec 2007 17:24:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition;
	bh=rDkWIADT3OKMfEt2mcabV6WrZhCvpGt0SXFohSKxb0g=;
	b=N6LWDFWlOr8DpYGyD6bnva6Md39WToOJjmnICOyB86zY16fOZshNkfRSD6E4s1janCMqC0kcn7biNUYHg0ufZ4Drkq3RXSzu6PexLe+Ff3LzeXEd0re+U7kCkgLUfEYxoVWjKfalO6oXN2/5pRN6m79hR/C3hoGcjLF79+VR7fY=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition;
	b=H7LRcD02QZf6PE21XKKdMN+KJZIDVrVnucpQohXOmIAp2gug6ZYtVU/8lSXhX3yxSRCD4WWS8NoZ/4eF14HzJkaDZ29ZrbnGjwntYTtPxwTRKP4qDXshENIpnX6aEUd8ovtBix42B/mEWxUy3PlvjJO4cDE6+vucZBIIpbR9yvs=
Received: by 10.114.120.1 with SMTP id s1mr227050wac.107.1198284899612;
	Fri, 21 Dec 2007 16:54:59 -0800 (PST)
Received: by 10.114.47.12 with HTTP; Fri, 21 Dec 2007 16:54:59 -0800 (PST)
Message-ID: <839aec700712211654r29524f89q64a1d7cee9e1dc20@mail.gmail.com>
Date: Fri, 21 Dec 2007 17:54:59 -0700
From: "Darren Spruell" <phatbuckett@gmail.com>
To: freebsd-questions@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Subject: TCP window scaling > 14
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 22 Dec 2007 01:24:07 -0000

I have a FreeBSD host which I noticed recently triggering some snort
decoder alerts due to using a TCP window scaling (rfc1323) value of
15. The decoder is tripping because anything greater than 14 is
considered invalid. This text from RFC seems to support it:

Since the max window is 2**S (where S is the scaling shift count)
times at most 2**16 - 1 (the maximum unscaled window), the maximum
window is guaranteed to be < 2*30 if S <= 14.  Thus, the shift
count must be limited to 14 (which allows windows of 2**30 = 1
Gbyte).  If a Window Scale option is received with a shift.cnt
value exceeding 14, the TCP should log the error but use 14
instead of the specified value.

http://www.networksorcery.com/enp/protocol/tcp/option003.htm suggests
the option should only be set on a SYN packet.

Packet data:

11:41:18.424938 IP (tos 0x0, ttl  46, id 58935, offset 0, flags
[none], proto: TCP (6), length: 60) 137.160.241.90.34223 >
165.195.64.61.1: FP, cksum 0x0900 (correct), 1645233436:1645233436(0)
win 65535 urg 0 <wscale 15,nop,mss 265,timestamp 4294967295 0,sackOK>
	0x0000:  4500 003c e637 0000 2e06 4589 89a0 f15a  E..<.7....E....Z
	0x0010:  a5c3 403d 85af 0001 6210 451c 86c4 20ed  ..@=....b.E.....
	0x0020:  a029 ffff 0900 0000 0303 0f01 0204 0109  .)..............
	0x0030:  080a ffff ffff 0000 0000 0402            ............

This packet was generated during a probe of a remote systems echo
service using nc(1). It may have come when the ctrl+c was issued.

net.inet.tcp.rfc1323 is enabled.

The following are sysctl changes in effect on the system:

kern.ipc.shmmax=67108864
kern.ipc.shmall=32768
vfs.usermount=1
net.inet.tcp.sendspace=65536
net.inet.tcp.recvspace=65536
kern.ipc.nmbclusters=32768

So, is it indeed wrong for FreeBSD to set a window scale value of 15
or on a non-SYN? Any problems to take care of?

DS



Copyright (c) 1992-2007 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
        The Regents of the University of California. All rights reserved.
FreeBSD is a registered trademark of The FreeBSD Foundation.
FreeBSD 6.3-PRERELEASE #0: Fri Nov 30 16:05:54 MST 2007
    root@calamity.honeywell.com:/usr/obj/usr/src/sys/SMP
Timecounter "i8254" frequency 1193182 Hz quality 0
CPU: Intel(R) Xeon(R) CPU           E5345  @ 2.33GHz (2327.51-MHz 686-class CPU)
  Origin = "GenuineIntel"  Id = 0x6f7  Stepping = 7
  Features=0xbfebfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CLFLUSH,DTS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE>
  Features2=0x4e3bd<SSE3,RSVD2,MON,DS_CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,DCA>
  AMD Features=0x20100000<NX,LM>
  AMD Features2=0x1<LAHF>
  Cores per package: 4
real memory  = 3219169280 (3070 MB)
avail memory = 3144863744 (2999 MB)
ACPI APIC Table: <DELL   B8K    >
FreeBSD/SMP: Multiprocessor System Detected: 8 CPUs
 cpu0 (BSP): APIC ID:  0
 cpu1 (AP): APIC ID:  1
 cpu2 (AP): APIC ID:  2
 cpu3 (AP): APIC ID:  3
 cpu4 (AP): APIC ID:  4
 cpu5 (AP): APIC ID:  5
 cpu6 (AP): APIC ID:  6
 cpu7 (AP): APIC ID:  7
ioapic0: Changing APIC ID to 8
ioapic1: Changing APIC ID to 9
ioapic0 <Version 2.0> irqs 0-23 on motherboard
ioapic1 <Version 2.0> irqs 24-47 on motherboard
kbd1 at kbdmux0
netsmb_dev: loaded
ath_hal: 0.9.20.3 (AR5210, AR5211, AR5212, RF5111, RF5112, RF2413, RF5413)
acpi0: <DELL B8K    > on motherboard
acpi0: Power Button (fixed)
Timecounter "ACPI-safe" frequency 3579545 Hz quality 850
acpi_timer0: <24-bit timer at 3.579545MHz> port 0x808-0x80b on acpi0
acpi_hpet0: <High Precision Event Timer> iomem 0xfed00000-0xfed003ff on acpi0
Timecounter "HPET" frequency 14318180 Hz quality 900
cpu0: <ACPI CPU> on acpi0
cpu1: <ACPI CPU> on acpi0
cpu2: <ACPI CPU> on acpi0
cpu3: <ACPI CPU> on acpi0
cpu4: <ACPI CPU> on acpi0
cpu5: <ACPI CPU> on acpi0
cpu6: <ACPI CPU> on acpi0
cpu7: <ACPI CPU> on acpi0
acpi_button0: <Power Button> on acpi0
pcib0: <ACPI Host-PCI bridge> port 0xcf8-0xcff on acpi0
pci0: <ACPI PCI bus> on pcib0
pcib1: <ACPI PCI-PCI bridge> at device 2.0 on pci0
pci1: <ACPI PCI bus> on pcib1
pcib2: <ACPI PCI-PCI bridge> irq 16 at device 0.0 on pci1
pci2: <ACPI PCI bus> on pcib2
pcib3: <ACPI PCI-PCI bridge> irq 16 at device 0.0 on pci2
pci3: <ACPI PCI bus> on pcib3
pcib4: <PCI-PCI bridge> irq 16 at device 1.0 on pci2
pci4: <PCI bus> on pcib4
pcib5: <ACPI PCI-PCI bridge> at device 0.3 on pci1
pci5: <ACPI PCI bus> on pcib5
fwohci0: <Lucent FW322/323> mem 0xdceff000-0xdcefffff irq 26 at device
5.0 on pci5
fwohci0: OHCI version 1.0 (ROM=1)
fwohci0: No. of Isochronous channels is 8.
fwohci0: EUI64 00:00:d1:00:80:35:7a:57
fwohci0: Phy 1394a available S400, 3 ports.
fwohci0: Link S400, max_rec 2048 bytes.
firewire0: <IEEE1394(FireWire) bus> on fwohci0
fwe0: <Ethernet over FireWire> on firewire0
if_fwe0: Fake Ethernet address: 02:00:d1:35:7a:57
fwe0: Ethernet address: 02:00:d1:35:7a:57
fwe0: if_start running deferred for Giant
sbp0: <SBP-2/SCSI over FireWire> on firewire0
fwohci0: Initiate bus reset
fwohci0: BUS reset
fwohci0: node_id=0xc800ffc0, gen=1, CYCLEMASTER mode
firewire0: 1 nodes, maxhop <= 0, cable IRM = 0 (me)
firewire0: bus manager 0 (me)
pcib6: <ACPI PCI-PCI bridge> at device 3.0 on pci0
pci6: <ACPI PCI bus> on pcib6
pcib7: <ACPI PCI-PCI bridge> at device 4.0 on pci0
pci7: <ACPI PCI bus> on pcib7
pci7: <display, VGA> at device 0.0 (no driver attached)
pcib8: <ACPI PCI-PCI bridge> at device 5.0 on pci0
pci8: <ACPI PCI bus> on pcib8
pcib9: <ACPI PCI-PCI bridge> at device 6.0 on pci0
pci9: <ACPI PCI bus> on pcib9
pcib10: <ACPI PCI-PCI bridge> at device 7.0 on pci0
pci10: <ACPI PCI bus> on pcib10
pcm0: <Intel 631x/632xESB High Definition Audio Controller> mem
0xdfffc000-0xdfffffff irq 16 at device 27.0 on pci0
pcib11: <ACPI PCI-PCI bridge> irq 16 at device 28.0 on pci0
pci11: <ACPI PCI bus> on pcib11
bge0: <Broadcom BCM5752 A2, ASIC rev. 0x6002> mem
0xdccf0000-0xdccfffff irq 16 at device 0.0 on pci11
miibus0: <MII bus> on bge0
brgphy0: <BCM5752 10/100/1000baseTX PHY> on miibus0
brgphy0:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, 1000baseT,
1000baseT-FDX, auto
bge0: Ethernet address: 00:1a:a0:ac:eb:69
uhci0: <UHCI (generic) USB controller> port 0xff80-0xff9f irq 21 at
device 29.0 on pci0
uhci0: [GIANT-LOCKED]
usb0: <UHCI (generic) USB controller> on uhci0
usb0: USB revision 1.0
uhub0: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
uhci1: <UHCI (generic) USB controller> port 0xff60-0xff7f irq 22 at
device 29.1 on pci0
uhci1: [GIANT-LOCKED]
usb1: <UHCI (generic) USB controller> on uhci1
usb1: USB revision 1.0
uhub1: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub1: 2 ports with 2 removable, self powered
uhci2: <UHCI (generic) USB controller> port 0xff40-0xff5f irq 18 at
device 29.2 on pci0
uhci2: [GIANT-LOCKED]
usb2: <UHCI (generic) USB controller> on uhci2
usb2: USB revision 1.0
uhub2: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub2: 2 ports with 2 removable, self powered
uhci3: <UHCI (generic) USB controller> port 0xff20-0xff3f irq 23 at
device 29.3 on pci0
uhci3: [GIANT-LOCKED]
usb3: <UHCI (generic) USB controller> on uhci3
usb3: USB revision 1.0
uhub3: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub3: 2 ports with 2 removable, self powered
ehci0: <EHCI (generic) USB 2.0 controller> mem 0xff980800-0xff980bff
irq 21 at device 29.7 on pci0
ehci0: [GIANT-LOCKED]
usb4: waiting for BIOS to give up control
usb4: EHCI version 1.0
usb4: companion controllers, 2 ports each: usb0 usb1 usb2 usb3
usb4: <EHCI (generic) USB 2.0 controller> on ehci0
usb4: USB revision 2.0
uhub4: Intel EHCI root hub, class 9/0, rev 2.00/1.00, addr 1
uhub4: 8 ports with 8 removable, self powered
pcib12: <ACPI PCI-PCI bridge> at device 30.0 on pci0
pci12: <ACPI PCI bus> on pcib12
isab0: <PCI-ISA bridge> at device 31.0 on pci0
isa0: <ISA bus> on isab0
atapci0: <Intel 63XXESB2 UDMA100 controller> port
0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0xffa0-0xffaf irq 16 at device
31.1 on pci0
ata0: <ATA channel 0> on atapci0
ata1: <ATA channel 1> on atapci0
atapci1: <Intel 63XXESB2 SATA300 controller> port
0xfe00-0xfe07,0xfe10-0xfe13,0xfe20-0xfe27,0xfe30-0xfe33,0xfec0-0xfedf
mem 0xff970000-0xff9703ff irq 20 at device 31.2 on pci0
atapci1: AHCI called from vendor specific driver
atapci1: AHCI Version 01.10 controller with 6 ports detected
ata2: <ATA channel 0> on atapci1
ata3: <ATA channel 1> on atapci1
ata4: <ATA channel 2> on atapci1
ata5: <ATA channel 3> on atapci1
ata6: <ATA channel 4> on atapci1
ata7: <ATA channel 5> on atapci1
ata7: port not implemented
pci0: <serial bus, SMBus> at device 31.3 (no driver attached)
fdc0: <floppy drive controller> port 0x3f0-0x3f5,0x3f7 irq 6 drq 2 on acpi0
fdc0: [FAST]
fd0: <1440-KB 3.5" drive> on fdc0 drive 0
ppc0: <ECP parallel printer port> port 0x378-0x37f,0x778-0x77f irq 7 on acpi0
ppc0: SMC-like chipset (ECP/EPP/PS2/NIBBLE) in COMPATIBLE mode
ppc0: FIFO with 16/16/8 bytes threshold
ppbus0: <Parallel port bus> on ppc0
ppi0: <Parallel I/O> on ppbus0
plip0: <PLIP network interface> on ppbus0
lpt0: <Printer> on ppbus0
lpt0: Interrupt-driven port
sio0: <16550A-compatible COM port> port 0x3f8-0x3ff irq 4 flags 0x10 on acpi0
sio0: type 16550A
sio1: <16550A-compatible COM port> port 0x2f8-0x2ff irq 3 on acpi0
sio1: type 16550A
pmtimer0 on isa0
orm0: <ISA Option ROMs> at iomem
0xc0000-0xcbfff,0xcc000-0xcdfff,0xce000-0xd2fff,0xd3000-0xd3fff on
isa0
atkbdc0: <Keyboard controller (i8042)> at port 0x60,0x64 on isa0
atkbd0: <AT Keyboard> irq 1 on atkbdc0
kbd0 at atkbd0
atkbd0: [GIANT-LOCKED]
sc0: <System console> at flags 0x100 on isa0
sc0: VGA <16 virtual consoles, flags=0x300>
vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0
uhub5: Dell Dell USB Keyboard Hub, class 9/0, rev 1.10/48.01, addr 2
uhub5: 3 ports with 2 removable, bus powered
ukbd0: Dell Dell USB Keyboard Hub, rev 1.10/48.00, addr 3, iclass 3/1
kbd2 at ukbd0
uhid0: Dell Dell USB Keyboard Hub, rev 1.10/48.00, addr 3, iclass 3/1
ums0: vendor 0x0461 USB Optical Mouse, rev 2.00/2.00, addr 4, iclass 3/1
ums0: 3 buttons and Z dir.
Timecounters tick every 1.000 msec
acd0: DVDR <PHILIPS DVD+/-RW DVD8801/AD21> at ata0-master UDMA33
ad4: 152587MB <WDC WD1600ADFS-75SLR2 21.07Q21> at ata2-master SATA300
ad6: 152587MB <WDC WD1600ADFS-75SLR2 21.07Q21> at ata3-master SATA300
pcm0: <HDA Codec: Sigmatel STAC9220>
pcm0: <HDA Driver Revision: 20071129_0050>
acd0: FAILURE - INQUIRY ILLEGAL REQUEST asc=0x24 ascq=0x00
acd0: FAILURE - INQUIRY ILLEGAL REQUEST asc=0x24 ascq=0x00
ar0: 152585MB <Intel MatrixRAID RAID1> status: READY
ar0: disk0 READY (master) using ad4 at ata2-master
ar0: disk1 READY (mirror) using ad6 at ata3-master
SMP: AP CPU #1 Launched!
SMP: AP CPU #7 Launched!
SMP: AP CPU #2 Launched!
SMP: AP CPU #3 Launched!
SMP: AP CPU #6 Launched!
SMP: AP CPU #5 Launched!
SMP: AP CPU #4 Launched!
cd0 at ata0 bus 0 target 0 lun 0
cd0: <PHILIPS DVD+-RW DVD8801 AD21> Removable CD-ROM SCSI-0 device
cd0: 33.000MB/s transfers
cd0: Attempt to query device size failed: NOT READY, Medium not present
Trying to mount root from ufs:/dev/ar0s1a


-- 
Darren Spruell
phatbuckett@gmail.com