Date: Wed, 10 Mar 1999 15:01:14 +1100 (EST) From: Rowan Crowe <rowan@sensation.net.au> To: freebsd-isp@freebsd.org Subject: fragmented packets Message-ID: <Pine.BSF.4.01.9903101449160.5619-100000@velvet.sensation.net.au>
next in thread | raw e-mail | index | archive | help
Hi all, I am having some problems with fragmented packets from certain hosts. Firstly, I'm not sure they're valid packets. Here's a small sample from tcpdump -vfi ppp0 host 209.1.224.16: 14:48:45.993516 209.1.224.16.http > 203.20.114.3.timbuktu-srv3: FP 192316230:192317386(1156) ack 2204793872 win 8460 (frag 57245:1176@0+) (ttl 246) 14:48:46.011204 209.1.224.16 > 203.20.114.3: (frag 57245:149@1176) (ttl 246) 14:49:01.940357 209.1.224.16.http > 203.20.114.7.4366: FP 177375633:177376789(1156) ack 1825709182 win 9870 (frag 24914:1176@0+) (ttl 246) 14:49:01.948698 209.1.224.16 > 203.20.114.7: (frag 24914:53@1176) (ttl 246) These packets are also blocked by ipfw, which reports junk port numbers: ipfw: 5 Deny TCP 209.1.224.16:11 203.20.114.3:2818 in via ppp0 Fragment = 147 ipfw: 5 Deny TCP 209.1.224.16:50213 203.20.114.3:30500 in via ppp0 Fragment = 147 ipfw: 5 Deny TCP 209.1.224.16:11 203.20.114.3:2818 in via ppp0 Fragment = 147 ipfw: 5 Deny TCP 209.1.224.16:18683 203.20.114.3:42890 in via ppp0 Fragment = 147 Rule 5 is: 00005 304 103312 deny log tcp from any to any 20034 A temporary rule, and nothing to do with fragmented packets. At the other times this has happened it's reported another seemingly random (but valid) rule number. Has anyone ever seen something like this before? It seems to happen mainly on inbound SMTP connections but just now I've noticed it on an outbound HTTP connection. FreeBSD 2.2.5-RELEASE, ppp0 at the moment is an ISDN connection to Telstra Internet (australia). I run a script which regularly emails "freshly logged" denied packets to me so it's getting a little annoying to get an email every 10 minutes for an hour or two with the above denied packets. As well as that, the packets are being dropped so the connection is effectively useless. I've resorted to temporarily firewalling a host trying to deliver a message via SMTP, to force it to deliver (reliably) via my 3rd priority MX, which is external. I mentioned this strange fragmented packets problem in comp.os.unix.freebsd.misc about 10-12 months ago but no one responded. Does ipfw grab the packet before or after tcpdump displays it? (I'm guessing after, since denied packets still show up in tcpdump). If this is the case then there's either a problem with packet processing, or perhaps a broken gateway somewhere is grunging packets. Maybe even pppd? Note however that it's only happened on about 6 hosts in the past few months, and sometimes connections to them work just fine. I've really got no idea where to start to try to fix this annoying problem. Thanks for any help. Cheers. -- Rowan Crowe Sensation Internet Services, Melbourne Aust fidonet: 3:635/728 +61-3-9388-9260 http://www.rowan.sensation.net.au/ http://www.sensation.net.au/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.01.9903101449160.5619-100000>