[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

tcp bad checksum on reply-to packets



I was experimenting with a recent build of -current (3/25/2003) to see if our company could start using the route-to and reply-to rules to handle a dual homed machine (dsl and cable). While testing a very minimal reply-to ruleset I could not get it return packets properly. Originally I thought the problem was with the new firewall and my routing rule, but a tcpdump -vv on both ends showed that the second syn packet was indeed getting back, but with a bad checksum. I think this is causing the connecting client's firewall to drop the connection. Questions: is this a known problem? do I just have a bad build of current? is there anything I can do to get the returning checksum from a reply-to rule to be good?

ruleset:

pass in on $dsl_if reply-to ($dsl_if $dsl_gateway) from any to any keep state

tcpdump:

13:12:28.669568 yyy.yyy.yyy.yyy.62968 > xxx.xxx.xxx.xxx.ssh: S [tcp sum ok] 3381628526:3381628526(0) win 57344 <mss 1460> (DF) (ttl 44, id 54460)
13:12:28.669609 xxx.xxx.xxx.xxx.ssh > yyy.yyy.yyy.yyy.62968: S [bad tcp cksum 7142!] 4265412548:4265412548(0) ack 3381628527 win 17376 <mss 1460,nop,wscale 0,nop,nop,timestamp 115744696 1884681> (DF) (ttl 64, id 27612)



-David Powers