I was experimenting with a recent build of -current (3/25/2003) to see
if our company could start using the route-to and reply-to rules to
handle a dual homed machine (dsl and cable). While testing a very
minimal reply-to ruleset I could not get it return packets properly.
Originally I thought the problem was with the new firewall and my
routing rule, but a tcpdump -vv on both ends showed that the second syn
packet was indeed getting back, but with a bad checksum. I think this
is causing the connecting client's firewall to drop the connection.
Questions: is this a known problem? do I just have a bad build of
current? is there anything I can do to get the returning checksum from
a reply-to rule to be good?
ruleset:
pass in on $dsl_if reply-to ($dsl_if $dsl_gateway) from any to any keep
state
tcpdump:
13:12:28.669568 yyy.yyy.yyy.yyy.62968 > xxx.xxx.xxx.xxx.ssh: S [tcp sum
ok] 3381628526:3381628526(0) win 57344 <mss 1460> (DF) (ttl 44, id 54460)
13:12:28.669609 xxx.xxx.xxx.xxx.ssh > yyy.yyy.yyy.yyy.62968: S [bad tcp
cksum 7142!] 4265412548:4265412548(0) ack 3381628527 win 17376 <mss
1460,nop,wscale 0,nop,nop,timestamp 115744696 1884681> (DF) (ttl 64, id
27612)
-David Powers
- Re: tcp bad checksum on reply-to packets David Powers
- Re: tcp bad checksum on reply-to packets jared r r spiegel
