One SYN packet 2 SYN-ACK replies
-
Very interesting.
I have forwarded this info onto the Bridge maintainer on FreeBSD.
In the meantime, try this from a shell then hping again:
sysctl net.inet.tcp.delayed_ack=0
-
-
I found an interesting condiditon, when HPINGING google.com all packets are fine, no double packets, the difference I saw is that google.com has IP ID sequences as were my targets had DF bit set and IPID = 0. This could be interesting, maybe packet fragementat pfsense can't handle correctly ?
Thierry
-
Thanks for the update, I'll send it over to Andrew.
-
Its true that the bridge code does not do any fragmentation, this will be addressed soon.
-
Thanks for your comments, but this ain't on the bridge or am I missing something ? ???
-
Please try beta 3.
-
I did just upgrade and checked the new option to "Clear DF bit instead of dropping"
This gave me the following error :
There were error(s) loading the rules: /tmp/rules.debug:15: random-id cannot be respecifiedpfctl: Syntax error in config file: pf rules not loaded - The line in question reads [15]: scrub on ng0 all no-df random-id max-mss 1452 random-id…
The standard Beta 3 (without this option) gives the same results :(
Thanks for your support
-
Already fixed. Unchecking this option shouldn't give this error though. Apply http://pfsense.bol2riz.com/updates/pfSense-BETA3-update-for-random_id-and-blank_rule-issues-on-embedded-and-full.tgz
-
Thank you,
The rule installed fine now, the DF bit is removed an IPID is added, however the problem with duplicates packets remains, maybe it's my config that is really at fault?
len=46 ip=194.154.210.xx ttl=58 id=28123 sport=443 flags=SA seq=0 win=5840 rtt=26.4 ms
len=46 ip=194.154.210.xx ttl=58 id=343 sport=443 flags=SA seq=1 win=5840 rtt=25.5 ms
len=46 ip=194.154.210.xx ttl=58 id=7653 sport=443 flags=SA seq=2 win=5840 rtt=24.6 ms
len=46 ip=194.154.210.xx ttl=58 id=23457 sport=443 flags=SA seq=3 win=5840 rtt=23.9 ms
DUP! len=46 ip=194.154.210.xx ttl=58 id=23457 sport=443 flags=SA seq=0 win=5840 rtt=3025.3 msInteresting is here that the duplicate packet has another IPID as the original, this is most likely due to PF adding the value, right ?
-
Quick note:
If I disable the "Remove DF bit" in the advanced settings, the DF bit is now set but an IPID is added (i suppose by PF), before this option there was no DF and no IPID (no need to since DF) is this intented behaviour ? As i use Pfsense for Pentests I would ideally need 1:1 packets (so that the results are not falsified)
-
Dear Group,
I appreciate your help, I am still having the same issue I can't seem to resolve, duplicate SYN ACKS ???
Anyway my rules could be at fault ?