FreeBSD 7.0 and pf
Hi all, im using freebsd 7.0 + gif interfaces + racoon + pf to filter stuff on my box. After upgrading to freebsd 7.0 I see some strange behavior. I see packets get dropped because of bad hdr length. The problems only seems to happen on traffic between the local nets and nets routed via ipsec. Here is a tcpdump snipped: block in on em5: 192.168.175.4.1107 192.168.116.6.22: tcp 544 [bad hdr length 12 - too short, 20] gif interface: gif5: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST metric 0 mtu 1402 tunnel inet 213.157.17.67 -- 213.23.198.131 inet 192.168.116.1 -- 192.168.175.1 netmask 0xff00 Any help is welcome. Thx Norman ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD 7.0 and pf
On 07:56:48 Mar 19, Norman Maurer wrote: Hi all, im using freebsd 7.0 + gif interfaces + racoon + pf to filter stuff on my box. After upgrading to freebsd 7.0 I see some strange behavior. I see packets get dropped because of bad hdr length. The problems only seems to happen on traffic between the local nets and nets routed via ipsec. Here is a tcpdump snipped: block in on em5: 192.168.175.4.1107 192.168.116.6.22: tcp 544 [bad hdr length 12 - too short, 20] gif interface: gif5: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST metric 0 mtu 1402 tunnel inet 213.157.17.67 -- 213.23.198.131 inet 192.168.116.1 -- 192.168.175.1 netmask 0xff00 Any help is welcome. A TCP header can never be less than 20 bytes. And 12 is odd since all headers are a multiple of 4 bytes (word boundary). Check your MTU of the PPPoE/PPPoA/Ethernet/WiFi or whatever datalink layer. I bet there is a problem there. Best, Girish -- unix soi qui mal y pense UNIX to him who evil thinks +--+ | GnuPG key : 0xC7BBF207 | http://wwwkeys.nl.pgp.net| | Fingerprint: 2AFF C264 20CE C80C DDFF CC15 AD3E F190 C7BB F207 | +--+ pgp2RRO2pMnxS.pgp Description: PGP signature
Re: FreeBSD 7.0 and pf
Am Mittwoch, den 19.03.2008, 14:04 +0530 schrieb Girish Venkatachalam: On 07:56:48 Mar 19, Norman Maurer wrote: Hi all, im using freebsd 7.0 + gif interfaces + racoon + pf to filter stuff on my box. After upgrading to freebsd 7.0 I see some strange behavior. I see packets get dropped because of bad hdr length. The problems only seems to happen on traffic between the local nets and nets routed via ipsec. Here is a tcpdump snipped: block in on em5: 192.168.175.4.1107 192.168.116.6.22: tcp 544 [bad hdr length 12 - too short, 20] gif interface: gif5: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST metric 0 mtu 1402 tunnel inet 213.157.17.67 -- 213.23.198.131 inet 192.168.116.1 -- 192.168.175.1 netmask 0xff00 Any help is welcome. A TCP header can never be less than 20 bytes. And 12 is odd since all headers are a multiple of 4 bytes (word boundary). Check your MTU of the PPPoE/PPPoA/Ethernet/WiFi or whatever datalink layer. I bet there is a problem there. Best, Girish Maybe the problem is the mtu of the gif interface ( 1402 ) ? I have a 4 mbit broadband connection ( no dsl ). bye Norman ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD 7.0 and pf
Am Mittwoch, den 19.03.2008, 09:40 +0100 schrieb Norman Maurer: Am Mittwoch, den 19.03.2008, 14:04 +0530 schrieb Girish Venkatachalam: On 07:56:48 Mar 19, Norman Maurer wrote: Hi all, im using freebsd 7.0 + gif interfaces + racoon + pf to filter stuff on my box. After upgrading to freebsd 7.0 I see some strange behavior. I see packets get dropped because of bad hdr length. The problems only seems to happen on traffic between the local nets and nets routed via ipsec. Here is a tcpdump snipped: block in on em5: 192.168.175.4.1107 192.168.116.6.22: tcp 544 [bad hdr length 12 - too short, 20] gif interface: gif5: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST metric 0 mtu 1402 tunnel inet 213.157.17.67 -- 213.23.198.131 inet 192.168.116.1 -- 192.168.175.1 netmask 0xff00 Any help is welcome. A TCP header can never be less than 20 bytes. And 12 is odd since all headers are a multiple of 4 bytes (word boundary). Check your MTU of the PPPoE/PPPoA/Ethernet/WiFi or whatever datalink layer. I bet there is a problem there. Best, Girish Maybe the problem is the mtu of the gif interface ( 1402 ) ? I have a 4 mbit broadband connection ( no dsl ). bye Norman btw, if i remove pf all works fine :-/ Cheers, Norman ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD 7.0 and pf
On 10:30:38 Mar 19, Norman Maurer wrote: btw, if i remove pf all works fine :-/ Are you using any scrub rule? Comment those out and try. -Girish -- unix soi qui mal y pense UNIX to him who evil thinks +--+ | GnuPG key : 0xC7BBF207 | http://wwwkeys.nl.pgp.net| | Fingerprint: 2AFF C264 20CE C80C DDFF CC15 AD3E F190 C7BB F207 | +--+ pgpTEi05ejzA5.pgp Description: PGP signature
Re: FreeBSD 7.0 and pf
Am Mittwoch, den 19.03.2008, 16:18 +0530 schrieb Girish Venkatachalam: On 10:30:38 Mar 19, Norman Maurer wrote: btw, if i remove pf all works fine :-/ Are you using any scrub rule? Comment those out and try. -Girish I removed the options IPSEC_FILTERTUNNEL from kernel config, recompiled , installed kernel and all seems to work fine again .. Strange... bye Norman ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]