Good morning, I've been seeing a lot of "bad ip cksum" error messages in my OpenBSD’s Tor gateway, like these:
Mar 15 12:27:03.113986 rule 2._5.1/(match) [uid 0, pid 71416] pass in on vio0: [orig src 172.22.55.4:49964, dst 172.217.19.142:443] 172.22.55.4.49964 > 127.0.0.1.9040: SWE 3285379865:3285379865(0) win 65535 <mss 1440,nop,wscale 6,nop,nop,timestamp 453692805 0,[|tcp]> (ttl 63, id 46325, len 64, bad ip cksum 2341! -> 64a7) Mar 15 12:27:07.847299 rule 2._5.1/(match) [uid 0, pid 71416] pass in on vio0: [orig src 172.22.55.4:49965, dst 85.17.191.244:443] 172.22.55.4.49965 > 127.0.0.1.9040: SWE 755785425:755785425(0) win 65535 <mss 1440,nop,wscale 6,nop,nop,timestamp 453697494 0,[|tcp]> (ttl 63, id 9318, len 64, bad ip cksum 5f32! -> f536) Mar 15 12:27:08.355880 rule 1._5.1/(match) [uid 0, pid 71416] pass in on vio0: [orig src 172.22.55.4:49966, dst 88.221.213.34:80] 172.22.55.4.49966 > 127.0.0.1.9040: SWE 2618743678:2618743678(0) win 65535 <mss 1440,nop,wscale 6,nop,nop,timestamp 453697997 0,[|tcp]> (ttl 63, id 53617, len 64, bad ip cksum 992c! -> 482b) Mar 15 12:27:09.337650 rule 2._5.1/(match) [uid 0, pid 71416] pass in on vio0: [orig src 172.22.55.4:49967, dst 85.17.191.242:443] 172.22.55.4.49967 > 127.0.0.1.9040: SWE 2709850134:2709850134(0) win 65535 <mss 1440,nop,wscale 6,nop,nop,timestamp 453698968 0,[|tcp]> (ttl 63, id 31872, len 64, bad ip cksum 71a! -> 9d1c) Mar 15 12:27:09.364017 rule 2._5.1/(match) [uid 0, pid 71416] pass in on vio0: [orig src 172.22.55.4:49968, dst 85.17.191.242:443] 172.22.55.4.49968 > 127.0.0.1.9040: SWE 855567415:855567415(0) win 65535 <mss 1440,nop,wscale 6,nop,nop,timestamp 453698993 0,[|tcp]> (ttl 63, id 58857, len 64, bad ip cksum 9db0! -> 33b3) As you can see all packets are allowed and I have configured my match rules as: match in all scrub (no-df max-mss 1440) match out on egress all scrub (no-df random-id reassemble tcp max-mss 1440) Any idea this error is always on? -- Regards, C. L. Martinez
