Date: Tue, 16 Apr 2013 20:52:05 +0200 From: Spil Oss <spil.oss@gmail.com> To: Ian Smith <smithi@nimnet.asn.au> Cc: freebsd-ipfw@freebsd.org, Michael Sierchio <kudzu@tenebras.com> Subject: Re: Problems with ipfw/natd and axe(4) Message-ID: <CAEJyAvMGKr9gZEEhg2KCD2FkZ=F4Xbx20v8iWyu8hhA_Pq8phw@mail.gmail.com> In-Reply-To: <CAEJyAvP-4FZ7eZ0o4c3qMzC0nY_gT4GfS3KjBVQiuzNY3aXz4Q@mail.gmail.com> References: <CAEJyAvOZ6fW0i3yT_D4fH1huje-qsJwA7GGeXqAO1PKzge-YNw@mail.gmail.com> <20130415015850.Y56386@sola.nimnet.asn.au> <CAHu1Y73Xu64NY1B=idaKmHKDGOB3AHbcXKi4A48-SNkhJrMy6Q@mail.gmail.com> <20130415160625.K56386@sola.nimnet.asn.au> <CAEJyAvP-4FZ7eZ0o4c3qMzC0nY_gT4GfS3KjBVQiuzNY3aXz4Q@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi all, If I disable checksum offloading on the NIC I do the tcpdump on, then I assume that the checksum-check will provide accurate results? With checksum disabled, I see that the checksum is incorrect when the client does not respond to the SYN,ACK, and correct when it does. Out of curiousity I tried with pf as well and it behaves the same. Kind regards, Spil. On Mon, Apr 15, 2013 at 9:04 PM, Spil Oss <spil.oss@gmail.com> wrote: > Hi all, > > Network dumps as promised > On 172.17.2.1: > tcpdump -p -i bridge0 -s 0 -w ssh-fail.pcap host not 172.17.2.167 > From 172.17.2.1 I ran > telnet 172.17.2.111/157 22 > In Wireshark I trimmed the capture a bit further with expression > 'not stp and not http' > > Initial setup (ue0 ext, re0 int, rule 10 to allow ssh) > -> ue0-ssh-success.pcap > Removed rule 10 > -> ue0-ssh-fail.pcap > Switched re0 and ue0, default ruleset (without 10) > -> re0-ssh-success.pcap > > According to YungHyeong the sample ASIX NIC he has works normally when > checksumming is disabled. > > Kind regards, > > Spil. > > > > > On Mon, Apr 15, 2013 at 8:25 AM, Ian Smith <smithi@nimnet.asn.au> wrote: > >> On Sun, 14 Apr 2013 10:34:06 -0700, Michael Sierchio wrote: >> > On Sun, Apr 14, 2013 at 10:26 AM, Ian Smith <smithi@nimnet.asn.au> >> wrote: >> > >> > > 'allow ip' aka 'allow all' doesn't usually take a port number, which >> > > applies only to tcp and udp. >> > >> > It does in ipfw - in which case it means ( udp | tcp ) >> >> You're quite right, and my assumption that it would also permit icmp >> was quite wrong, after a quick test. >> >> Which appears to leave the bypassed divert not working with rx/txcsum >> the only viable suspect. The ruleset is otherwise 'out of the box'. >> >> Does anyone know whether this is an issue with libalias(3) generally - >> in which case using nat instead of divert shouldn't help - or just with >> natd in particular? >> >> cheers, Ian >> > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAEJyAvMGKr9gZEEhg2KCD2FkZ=F4Xbx20v8iWyu8hhA_Pq8phw>