PF "scrub reassemble tcp" makes a packet with invalid TCP checksum depending on the situation

Hi all,

Recently I received a e-mail from our customer that he could not browse
our web site. I thought that was strange at first because we and most
people could browse without problems, but he could not...umm, why?

After some investigation I've found that our web server ignores SYN
packet he sent because that has invalid TCP checksum, and his original
packet has correct checksum but that is broken after passing our
firewall using PF packet filter on 7.4-RELASE. And further more, I've
noticed that such a invalid packet is made when original packet has TCP
timestamp option and the option does not start at 16-bit word boundary
like a packet that has TCP options <mss,wscale,sackOK,timestamp,eol>.

After all, disabling "scrub reassemble tcp" rule resolved this problem.
But I have some questions:

Is this a bug in PF code, or original packet violates RFC? As far as I
know, last TCP option must end at 32-bit boundary but there is no
restriction for each options about position, order etc. So I think this
is a bug. Correct?

How many systems in the world that create such a SYN packet? I think
that many OSes add NOP options before timestamp option to adjust the
starting position, but the one our customer has does not. Unfortunately
I cannot get information from him about his network environment...

--
Kazuaki ODA
_______________________________________________
freebsd-net@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • alt.2600 FAQ Revision .014 (2/4)
    ... One type of firewall is the packet filtering firewall. ... Dropping packets instead of rejecting them greatly increases the time required to scan your network. ... Port scanning UDP ports is much slower than port scanning TCP ports. ... Chartreuse Use the electricity from your phone line Cheese Connect two phones to create a diverter Chrome Manipulate Traffic Signals by Remote Control ...
    (alt.2600)
  • Re: TCP/IP Services SSH and new router difficulties
    ... (TCP vs UDP, role of routers, significance of MTU, etc). ... the lost packet and what followed it is retransmitted. ... I'd start by looking to see whether you have a Path MTU Discovery ... VMS TCP/IP SSH ports budge? ...
    (comp.os.vms)
  • Re: jailed "system" needs IPV4 access
    ... see if the ACK flag is set on a tcp packet. ... the keep-state option just ... 00500 deny log ip from 192.160.1.0/24 to any in via dc1 ...
    (comp.unix.bsd.freebsd.misc)
  • Re: PF "scrub reassemble tcp" makes a packet with invalid TCP checksum depending on the situation
    ... Recently I received a e-mail from our customer that he could not browse ... our web site. ... packet he sent because that has invalid TCP checksum, ... noticed that such a invalid packet is made when original packet has TCP ...
    (freebsd-net)
  • Re: Incoherent E-mails
    ... The Novell crap was originally run on IPX ... The term in the early-mid nineties was "packet storm". ... The original advantage of UDP was ... > 60 bytes for TCP. ...
    (alt.computer.security)