From owner-freebsd-pf@FreeBSD.ORG Tue May 31 11:56:18 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3161016A41C for ; Tue, 31 May 2005 11:56:18 +0000 (GMT) (envelope-from derkjan@haanjdj.demon.nl) Received: from haanjdj.demon.nl (haanjdj.demon.nl [82.161.5.221]) by mx1.FreeBSD.org (Postfix) with ESMTP id 31B2643D1D for ; Tue, 31 May 2005 11:56:16 +0000 (GMT) (envelope-from derkjan@haanjdj.demon.nl) Received: from localhost (localhost [127.0.0.1]) by haanjdj.demon.nl (Postfix) with ESMTP id 0B56E1C080F for ; Tue, 31 May 2005 13:56:09 +0200 (CEST) Received: from haanjdj.demon.nl ([127.0.0.1]) by localhost (haanjdj.demon.nl [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 00605-07 for ; Tue, 31 May 2005 13:55:50 +0200 (CEST) Received: from haanjdj.demon.nl (localhost [127.0.0.1]) by haanjdj.demon.nl (Postfix) with ESMTP id EEA261C080B for ; Tue, 31 May 2005 13:55:48 +0200 (CEST) Received: from 195.50.100.20 (SquirrelMail authenticated user derkjan) by haanjdj.demon.nl with HTTP; Tue, 31 May 2005 13:55:49 +0200 (CEST) Message-ID: <60550.195.50.100.20.1117540549.squirrel@haanjdj.demon.nl> Date: Tue, 31 May 2005 13:55:49 +0200 (CEST) From: "Derkjan de Haan" To: freebsd-pf@freebsd.org User-Agent: SquirrelMail/1.4.4 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-Virus-Scanned: amavisd-new at haanjdj.demon.nl Subject: no-df and cksum errors in tcpdump X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 May 2005 11:56:18 -0000 All, I am using FreeBSD-STABLE on my home server/firewall. Yesterday I played a bit with the no-df scrub option. However, this yields errors with tcpdump in protocol decoding mode: tcpdump -n -e -ttt -v -r /var/log/pflog A couple of lines from the log: 088889 rule 31/0(match): pass in on em1: IP (tos 0x10, ttl 58, id 21397, offset 0, flags [none], length: 60, bad cksum 7186 (->b186)!) 195.245.244.241.40947 > 192.168.2.1.6346: S [tcp sum ok] 855340762:855340762(0) win 5840 095894 rule 31/0(match): pass in on em1: IP (tos 0x10, ttl 60, id 18568, offset 0, flags [none], length: 60, bad cksum bf87 (->ff87)!) 62.241.53.2.46125 > 192.168.2.1.6346: S [tcp sum ok] 3675198613:3675198613(0) win 5840 882863 rule 0/0(match): block in on em1: IP (tos 0x0, ttl 123, id 55684, offset 0, flags [none], length: 48, bad cksum e3b2 (->23b3)!) 82.161.151.113.4988 > 82.161.5.221.445: S [tcp sum ok] 1263353290:1263353290(0) win 64240 The relevant line from pf config (full config available on request): scrub on $ext_if all no-df random-id reassemble tcp The strange thing is that as soon as I remove the no-df from my pf configuration, the 'bad cksum' disappears. Has anybody seen this before ? Can it be that pf doesn't recompute the checksum after altering the packet ? regards, Derkjan