"bad hdr… too short" temporarily blocked my IP
-
running 2.02Release on a Dell2650 PERC using two intel dual NICs fxp0-3. Onboard nics (bge0 and 1) are disabled due to a E13F4 PCI parity error earlier this week.
I have rules to allow webgui and ssh access on the wan side for my IPs only. It has been working. But today I was not able to webgui in and noticed at the console, (option 10 filter logs) pflog entries similar to what's shown below. During the time I could not remote in, pflog showed numerous entries similar to what's shown below, but blocking MY IP! My remote IP was the source and the destination was my pfsense IPaddess:443. My rules should have allowed access. After rebooting pfsense, I was able to remote in again. My IP no longer is getting blocked but I still see these messages for other IPs. I know these entries are most likely bots port scanning but I'm trying to figure out if I have a bad NIC or what. I have TWO other pfsense boxes identical to this one (but both are running 2.01 rel) both are very busy with Internet activity and they don't show these pflog " bad hdr…too short" entries. Rebooting to "fix" something is never good when you have no idea why it happened. Any ideas?
FYI - I'll try moving the WAN to a different NIC. Suggestions on how to isolate the cause?(my pfsense IPaddess in this are purposely set to 1xx.32.xx1.126)
00:00:00.000000 rule 1/0(match): block in on fxp0: 95.211.210.241.80 > 1xx.32.xx1.126.16289: tcp 24 [bad hdr length 0 - too short, < 20]
00:01:29.763250 rule 1/0(match): block in on fxp0: 37.43.125.53.1395 > 1xx.32.xx1.126.445: tcp 28 [bad hdr length 0 - too short, < 20]
00:00:03.017507 rule 1/0(match): block in on fxp0: 37.43.125.53.1395 > 1xx.32.xx1.126.445: tcp 28 [bad hdr length 0 - too short, < 20]
00:03:50.853720 rule 1/0(match): block in on fxp0: 176.57.143.36.80 > 1xx.32.xx1.126.56141: tcp 24 [bad hdr length 0 - too short, < 20]
00:03:31.217288 rule 1/0(match): block in on fxp0: 193.44.1.19.17398 > 1xx.32.xx1.126.445: tcp 28 [bad hdr length 0 - too short, < 20]
00:10:01.475376 rule 1/0(match): block in on fxp0: 95.238.118.28.2656 > 1xx.32.xx1.126.445: tcp 28 [bad hdr length 0 - too short, < 20]
00:00:02.884511 rule 1/0(match): block in on fxp0: 95.238.118.28.2656 > 1xx.32.xx1.126.445: tcp 28 [bad hdr length 0 - too short, < 20] -
"bad hdr length 0 - too short, < 20" just means there wasn't enough data in that row for tcpdump to interpret into a proper message. It is not fatal nor indicative of any problem.
The ports in the log you provided are not 443, it's 445 (one of Microsoft's fun exploitable ports) so the logs you show aren't relevant to GUI access either.
-
I wasn't able to copy/paste the log when it happened but it was showing my ip:443 as the source. Still unsure as to why the garbage in occurred and I lost GUI access. Then rebooting cleared the issue. I hate that when that happens.
Thanks for the explanation of though. I'm reassured to let it go if it doesn't crop up again.