Re: Lot of errors as a "bad ip cksum" using Tor

Sun, 15 Mar 2020 05:37:52 -0700 

Sorry, my mistake. I have only one match rule configured as:

match in all scrub (no-df max-mss 1440 random-id)

-- 
Regards,
C. L. Martinez

On 15/03/2020, 13:33, "Carlos Lopez" <clo...@outlook.com> wrote:

    Good morning,
    
     I've been seeing a lot of "bad ip cksum" error messages in my OpenBSD’s 
Tor gateway, like these:
    
    Mar 15 12:27:03.113986 rule 2._5.1/(match) [uid 0, pid 71416] pass in on 
vio0: [orig src 172.22.55.4:49964, dst 172.217.19.142:443] 172.22.55.4.49964 > 
127.0.0.1.9040: SWE 3285379865:3285379865(0) win 65535 <mss 1440,nop,wscale 
6,nop,nop,timestamp 453692805 0,[|tcp]> (ttl 63, id 46325, len 64, bad ip cksum 
2341! -> 64a7)
    Mar 15 12:27:07.847299 rule 2._5.1/(match) [uid 0, pid 71416] pass in on 
vio0: [orig src 172.22.55.4:49965, dst 85.17.191.244:443] 172.22.55.4.49965 > 
127.0.0.1.9040: SWE 755785425:755785425(0) win 65535 <mss 1440,nop,wscale 
6,nop,nop,timestamp 453697494 0,[|tcp]> (ttl 63, id 9318, len 64, bad ip cksum 
5f32! -> f536)
    Mar 15 12:27:08.355880 rule 1._5.1/(match) [uid 0, pid 71416] pass in on 
vio0: [orig src 172.22.55.4:49966, dst 88.221.213.34:80] 172.22.55.4.49966 > 
127.0.0.1.9040: SWE 2618743678:2618743678(0) win 65535 <mss 1440,nop,wscale 
6,nop,nop,timestamp 453697997 0,[|tcp]> (ttl 63, id 53617, len 64, bad ip cksum 
992c! -> 482b)
    Mar 15 12:27:09.337650 rule 2._5.1/(match) [uid 0, pid 71416] pass in on 
vio0: [orig src 172.22.55.4:49967, dst 85.17.191.242:443] 172.22.55.4.49967 > 
127.0.0.1.9040: SWE 2709850134:2709850134(0) win 65535 <mss 1440,nop,wscale 
6,nop,nop,timestamp 453698968 0,[|tcp]> (ttl 63, id 31872, len 64, bad ip cksum 
71a! -> 9d1c)
    Mar 15 12:27:09.364017 rule 2._5.1/(match) [uid 0, pid 71416] pass in on 
vio0: [orig src 172.22.55.4:49968, dst 85.17.191.242:443] 172.22.55.4.49968 > 
127.0.0.1.9040: SWE 855567415:855567415(0) win 65535 <mss 1440,nop,wscale 
6,nop,nop,timestamp 453698993 0,[|tcp]> (ttl 63, id 58857, len 64, bad ip cksum 
9db0! -> 33b3)
    
     As you can see all packets are allowed and I have configured my match 
rules  as:
    
    match in all scrub (no-df max-mss 1440)
    match out on egress all scrub (no-df random-id reassemble tcp max-mss 1440)
    
     Any idea this error is always on?
    -- 
    Regards,
    C. L. Martinez

Reply via email to