Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 10 Mar 1999 15:01:14 +1100 (EST)
From:      Rowan Crowe <rowan@sensation.net.au>
To:        freebsd-isp@freebsd.org
Subject:   fragmented packets
Message-ID:  <Pine.BSF.4.01.9903101449160.5619-100000@velvet.sensation.net.au>

next in thread | raw e-mail | index | archive | help
Hi all,

I am having some problems with fragmented packets from certain hosts.

Firstly, I'm not sure they're valid packets. Here's a small sample from
tcpdump -vfi ppp0 host 209.1.224.16:

14:48:45.993516 209.1.224.16.http > 203.20.114.3.timbuktu-srv3: FP 192316230:192317386(1156) ack 2204793872 win 8460 (frag 57245:1176@0+) (ttl 246)
14:48:46.011204 209.1.224.16 > 203.20.114.3: (frag 57245:149@1176) (ttl 246)
14:49:01.940357 209.1.224.16.http > 203.20.114.7.4366: FP 177375633:177376789(1156) ack 1825709182 win 9870 (frag 24914:1176@0+) (ttl 246)
14:49:01.948698 209.1.224.16 > 203.20.114.7: (frag 24914:53@1176) (ttl 246)

These packets are also blocked by ipfw, which reports junk port numbers:

ipfw: 5 Deny TCP 209.1.224.16:11 203.20.114.3:2818 in via ppp0 Fragment = 147
ipfw: 5 Deny TCP 209.1.224.16:50213 203.20.114.3:30500 in via ppp0 Fragment = 147
ipfw: 5 Deny TCP 209.1.224.16:11 203.20.114.3:2818 in via ppp0 Fragment = 147
ipfw: 5 Deny TCP 209.1.224.16:18683 203.20.114.3:42890 in via ppp0 Fragment = 147

Rule 5 is:

00005        304     103312 deny log tcp from any to any 20034

A temporary rule, and nothing to do with fragmented packets. At the other
times this has happened it's reported another seemingly random (but valid)
rule number.

Has anyone ever seen something like this before? It seems to happen mainly
on inbound SMTP connections but just now I've noticed it on an outbound
HTTP connection.

FreeBSD 2.2.5-RELEASE, ppp0 at the moment is an ISDN connection to Telstra
Internet (australia).

I run a script which regularly emails "freshly logged" denied packets to
me so it's getting a little annoying to get an email every 10 minutes for
an hour or two with the above denied packets. As well as that, the packets
are being dropped so the connection is effectively useless. I've resorted
to temporarily firewalling a host trying to deliver a message via SMTP, to
force it to deliver (reliably) via my 3rd priority MX, which is external.

I mentioned this strange fragmented packets problem in
comp.os.unix.freebsd.misc about 10-12 months ago but no one responded.

Does ipfw grab the packet before or after tcpdump displays it? (I'm
guessing after, since denied packets still show up in tcpdump). If this is
the case then there's either a problem with packet processing, or perhaps
a broken gateway somewhere is grunging packets. Maybe even pppd? Note
however that it's only happened on about 6 hosts in the past few months,
and sometimes connections to them work just fine.

I've really got no idea where to start to try to fix this annoying 
problem. Thanks for any help.

Cheers.


--
Rowan Crowe                     Sensation Internet Services, Melbourne Aust
fidonet: 3:635/728                                          +61-3-9388-9260
http://www.rowan.sensation.net.au/             http://www.sensation.net.au/



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.01.9903101449160.5619-100000>