I've been fighting with stunnel, trying to get its transparent proxy support to work. No matter what I do, as soon as transparent = source support is turned on, tests with my mail client just time out.
If I turn transparent proxy support off it works but appears as if connections are from localhost, which is undesirable.
My goal is to have stunnel listen on *:465 and provide SSL protected connectivity, which appear to arrive from the remote client IP, on my mail server's external IP address on port 25. My mail server and the firewall with the rules on it are the same physical machine.
Can someone please make some suggestions as to what else I can try to get this working?
I'm running Linux 2.6.38 on a current CentOS/rhel5 box and I've got modules built for most netfilter options, including: NF_CONNTRACK=m NETFILTER_TPROXY=m NETFILTER_XT_MATCH_SOCKET=m NETFILTER_XT_TARGET_TPROXY=m
/proc/sys/net/ipv4/conf/all/rp_filter = 0 /proc/sys/net/ipv4/ip_forward = 1
This is my stunnel config: cert = /etc/stunnel/assps.crt key = /etc/stunnel/assps.key pid = /var/run/stunnel/stunnel_smtps.pid verify = 0 debug = 7 output = /var/log/stunnel_smtps.log TIMEOUTconnect = 60
[smtps] accept = 465 connect = MY_EXTERNAL_IP:25 transparent = source
My stunnel seems happy with the DH Parameters in my cert file.
My firewall relevant rules:
iptables -t mangle -N DIVERT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT ip rule add fwmark 1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100
# stunnel -version stunnel 4.35 on i686-redhat-linux-gnu with OpenSSL 0.9.8e-fips-rhel5 01 July 2008 Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP
Global options debug = daemon.notice pid = /var/run/stunnel.pid RNDbytes = 64 RNDfile = /dev/urandom RNDoverwrite = yes
Service-level options cert = /etc/stunnel/stunnel.pem ciphers = AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH curve = sect163r2 session = 300 seconds stack = 65536 bytes sslVersion = SSLv3 for client, all for server TIMEOUTbusy = 300 seconds TIMEOUTclose = 60 seconds TIMEOUTconnect = 10 seconds TIMEOUTidle = 43200 seconds verify = none
# stunnel -sockets Socket option defaults: Option Accept Local Remote OS default SO_DEBUG -- -- -- 0 SO_DONTROUTE -- -- -- 0 SO_KEEPALIVE -- -- -- 0 SO_LINGER -- -- -- 0:0 SO_OOBINLINE -- -- -- 0 SO_RCVBUF -- -- -- 87380 SO_SNDBUF -- -- -- 16384 SO_RCVLOWAT -- -- -- 1 SO_SNDLOWAT -- -- -- 1 SO_RCVTIMEO -- -- -- 0:0 SO_SNDTIMEO -- -- -- 0:0 SO_REUSEADDR 1 -- -- 0 SO_BINDTODEVICE -- -- -- -- TCP_KEEPCNT -- -- -- 9 TCP_KEEPIDLE -- -- -- 7200 TCP_KEEPINTVL -- -- -- 75 IP_TOS -- -- -- 0 IP_TTL -- -- -- 64 TCP_NODELAY -- -- -- 0
Here is the log file with the connection timeout: 2011.03.20 15:26:43 LOG5[23214:3073877712]: Reading configuration from file /etc/stunnel/stunnel-assp_smtps.conf 2011.03.20 15:26:43 LOG7[23214:3073877712]: Snagged 64 random bytes from /root/.rnd 2011.03.20 15:26:43 LOG7[23214:3073877712]: Wrote 1024 new random bytes to /root/.rnd 2011.03.20 15:26:43 LOG7[23214:3073877712]: PRNG seeded successfully 2011.03.20 15:26:43 LOG7[23214:3073877712]: Using DH parameters from /etc/stunnel/assps.crt 2011.03.20 15:26:43 LOG6[23214:3073877712]: DH initialized with 512 bit key 2011.03.20 15:26:43 LOG7[23214:3073877712]: Certificate: /etc/stunnel/assps.crt 2011.03.20 15:26:43 LOG7[23214:3073877712]: Certificate loaded 2011.03.20 15:26:43 LOG7[23214:3073877712]: Key file: /etc/stunnel/assps.key 2011.03.20 15:26:43 LOG7[23214:3073877712]: Private key loaded 2011.03.20 15:26:43 LOG7[23214:3073877712]: SSL context initialized for service smtps 2011.03.20 15:26:43 LOG5[23214:3073877712]: Configuration successful 2011.03.20 15:26:43 LOG5[23214:3073877712]: No limit detected for the number of clients 2011.03.20 15:26:43 LOG7[23214:3073877712]: libwrap_init: FD=3 allocated (blocking mode) 2011.03.20 15:26:43 LOG7[23214:3073877712]: libwrap_init: FD=4 allocated (blocking mode) 2011.03.20 15:26:43 LOG7[23214:3073877712]: libwrap_init: FD=4 allocated (blocking mode) 2011.03.20 15:26:43 LOG7[23214:3073877712]: libwrap_init: FD=5 allocated (blocking mode) 2011.03.20 15:26:43 LOG7[23214:3073877712]: libwrap_init: FD=5 allocated (blocking mode) 2011.03.20 15:26:43 LOG7[23214:3073877712]: libwrap_init: FD=6 allocated (blocking mode) 2011.03.20 15:26:43 LOG7[23214:3073877712]: libwrap_init: FD=6 allocated (blocking mode) 2011.03.20 15:26:43 LOG7[23214:3073877712]: libwrap_init: FD=7 allocated (blocking mode) 2011.03.20 15:26:43 LOG7[23214:3073877712]: libwrap_init: FD=7 allocated (blocking mode) 2011.03.20 15:26:43 LOG7[23214:3073877712]: libwrap_init: FD=8 allocated (blocking mode) 2011.03.20 15:26:43 LOG7[23214:3073877712]: signal_pipe: FD=9 allocated (blocking mode) 2011.03.20 15:26:43 LOG7[23214:3073877712]: signal_pipe: FD=10 allocated (blocking mode) 2011.03.20 15:26:43 LOG7[23214:3073877712]: accept socket: FD=11 allocated (non-blocking mode) 2011.03.20 15:26:43 LOG7[23214:3073877712]: Option SO_REUSEADDR set on accept socket 2011.03.20 15:26:43 LOG7[23214:3073877712]: Service smtps bound to 0.0.0.0:465 2011.03.20 15:26:43 LOG7[23214:3073877712]: Service smtps opened FD=11 2011.03.20 15:26:44 LOG7[23220:3073877712]: Created pid file /var/run/stunnel/stunnel_smtps.pid 2011.03.20 15:26:44 LOG5[23220:3073877712]: stunnel 4.35 on i686-redhat-linux-gnu with OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 2011.03.20 15:26:44 LOG5[23220:3073877712]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP 2011.03.20 15:26:56 LOG7[23220:3073877712]: local socket: FD=0 allocated (non-blocking mode) 2011.03.20 15:26:56 LOG7[23220:3073877712]: Service smtps accepted FD=0 from MY_TESTING_CLIENT_IP:56765 2011.03.20 15:26:56 LOG7[23220:3073874832]: Service smtps started 2011.03.20 15:26:56 LOG7[23220:3073874832]: Option TCP_NODELAY set on local socket 2011.03.20 15:26:56 LOG7[23220:3073874832]: Waiting for a libwrap process 2011.03.20 15:26:56 LOG7[23220:3073874832]: Acquired libwrap process #0 2011.03.20 15:26:56 LOG7[23220:3073874832]: Releasing libwrap process #0 2011.03.20 15:26:56 LOG7[23220:3073874832]: Released libwrap process #0 2011.03.20 15:26:56 LOG7[23220:3073874832]: Service smtps permitted by libwrap from MY_TESTING_CLIENT_IP:56765 2011.03.20 15:26:56 LOG5[23220:3073874832]: Service smtps accepted connection from MY_TESTING_CLIENT_IP:56765 2011.03.20 15:26:56 LOG7[23220:3073874832]: SSL state (accept): before/accept initialization 2011.03.20 15:26:56 LOG7[23220:3073874832]: SSL state (accept): SSLv3 read client hello A 2011.03.20 15:26:56 LOG7[23220:3073874832]: SSL state (accept): SSLv3 write server hello A 2011.03.20 15:26:56 LOG7[23220:3073874832]: SSL state (accept): SSLv3 write certificate A 2011.03.20 15:26:56 LOG7[23220:3073874832]: SSL state (accept): SSLv3 write certificate request A 2011.03.20 15:26:56 LOG7[23220:3073874832]: SSL state (accept): SSLv3 flush data 2011.03.20 15:26:56 LOG7[23220:3073874832]: SSL alert (read): warning: no certificate 2011.03.20 15:26:56 LOG7[23220:3073874832]: SSL state (accept): SSLv3 read client key exchange A 2011.03.20 15:26:56 LOG7[23220:3073874832]: SSL state (accept): SSLv3 read finished A 2011.03.20 15:26:56 LOG7[23220:3073874832]: SSL state (accept): SSLv3 write change cipher spec A 2011.03.20 15:26:56 LOG7[23220:3073874832]: SSL state (accept): SSLv3 write finished A 2011.03.20 15:26:56 LOG7[23220:3073874832]: SSL state (accept): SSLv3 flush data 2011.03.20 15:26:56 LOG7[23220:3073874832]: 1 items in the session cache 2011.03.20 15:26:56 LOG7[23220:3073874832]: 0 client connects (SSL_connect()) 2011.03.20 15:26:56 LOG7[23220:3073874832]: 0 client connects that finished 2011.03.20 15:26:56 LOG7[23220:3073874832]: 0 client renegotiations requested 2011.03.20 15:26:56 LOG7[23220:3073874832]: 1 server connects (SSL_accept()) 2011.03.20 15:26:56 LOG7[23220:3073874832]: 1 server connects that finished 2011.03.20 15:26:56 LOG7[23220:3073874832]: 0 server renegotiations requested 2011.03.20 15:26:56 LOG7[23220:3073874832]: 0 session cache hits 2011.03.20 15:26:56 LOG7[23220:3073874832]: 0 external session cache hits 2011.03.20 15:26:56 LOG7[23220:3073874832]: 0 session cache misses 2011.03.20 15:26:57 LOG7[23220:3073874832]: 0 session cache timeouts 2011.03.20 15:26:57 LOG6[23220:3073874832]: SSL accepted: new session negotiated 2011.03.20 15:26:57 LOG6[23220:3073874832]: Negotiated ciphers: AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 2011.03.20 15:26:57 LOG7[23220:3073874832]: remote socket: FD=1 allocated (non-blocking mode) 2011.03.20 15:26:57 LOG6[23220:3073874832]: local_bind succeeded on the original port 2011.03.20 15:26:57 LOG6[23220:3073874832]: connect_blocking: connecting MY_EXTERNAL_IP:25 2011.03.20 15:26:57 LOG7[23220:3073874832]: connect_blocking: s_poll_wait MY_EXTERNAL_IP:25: waiting 60 seconds 2011.03.20 15:27:57 LOG3[23220:3073874832]: connect_blocking: s_poll_wait MY_EXTERNAL_IP:25: TIMEOUTconnect exceeded 2011.03.20 15:27:57 LOG5[23220:3073874832]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket 2011.03.20 15:27:57 LOG7[23220:3073874832]: Service smtps finished (0 left) 2011.03.20 15:29:21 LOG7[23220:3073877712]: Dispatching signals from the signal pipe 2011.03.20 15:29:21 LOG5[23220:3073877712]: Received signal 15; terminating 2011.03.20 15:29:21 LOG7[23220:3073877712]: removing pid file /var/run/stunnel/stunnel_smtps.pid
The only even slightly odd thing I see other than the timeouts is the " 2011.03.20 15:26:56 LOG7[23220:3073874832]: SSL alert (read): warning: no certificate"
I'm not sure what that is about, but it doesn't seem critical...
Robert Hardy wrote:
I've been fighting with stunnel, trying to get its transparent proxy support to work. No matter what I do, as soon as transparent = source support is turned on, tests with my mail client just time out.
If I turn transparent proxy support off it works but appears as if connections are from localhost, which is undesirable.
[cut]
2011.03.20 15:26:57 LOG6[23220:3073874832]: local_bind succeeded on the original port 2011.03.20 15:26:57 LOG6[23220:3073874832]: connect_blocking: connecting MY_EXTERNAL_IP:25 2011.03.20 15:26:57 LOG7[23220:3073874832]: connect_blocking: s_poll_wait MY_EXTERNAL_IP:25: waiting 60 seconds 2011.03.20 15:27:57 LOG3[23220:3073874832]: connect_blocking: s_poll_wait MY_EXTERNAL_IP:25: TIMEOUTconnect exceeded
Interesting. I can't see any obvious mistake in your configuration.
With these type of problems "tcpdump", "iptables -L -v", and "dmesg" are your friends.
Best regards, Michal Trojnara
On Sat, 26 Mar 2011, Michal Trojnara wrote:
Interesting. I can't see any obvious mistake in your configuration.
With these type of problems "tcpdump", "iptables -L -v", and "dmesg" are your friends.
Best regards, Michal Trojnara
I've tried several times to get stunnel to work as a transparent smtps proxy. I just tried again using stunnel 4.36 and as you suggested used tcpdump in several places, to attempt further debugging. It always just times out: both in the stunnel log file and my mail client times out too.
There are no obvious messages indicating the problem in dmesg or any logs.
To me, my firewall rules look fine.
With tcpdump on lo, I can see the traffic getting forwarded:
15:48:23.228526 IP fw1.pensivo.com.52370 > guru.webcon.net.smtp: S 3107220597:3107220597(0) win 32792 <mss 16396,sackOK,timestamp 128780080 0,nop,wscale 5>
With tcpdump on eth0, I can see some kind of response going out:
15:48:23.228554 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: TCP (6), length: 60) guru.webcon.net.smtp > fw1.pensivo.com.52370: S, cksum 0x70bc (incorrect (-> 0x91ef), 3106887726:3106887726(0) ack 3107220598 win 14480 <mss 1460,sackOK,timestamp 128780080 128774822,nop,wscale 5>
but it seems too small and doesn't seem like enough traffic.
The incorrect cksums seem to be a red herring. I suspect it's really just an artifact due hardware chksum offload. The packets make it back to my mail client box with valid chksums.
My mail server has net.ipv4.conf.all.rp_filter = 0. My ASSP maillog never shows a connection, refused or otherwise for the transparent proxied connection, even with the debug level very high.
Can you make any other suggestions?
Failing that, would you be willing to debug this interactively?
If you can repond off the list with a dollar amount or a referal to a contractor who would know what the tcpdump traffic should look like and could debug this install easily that would be very much appreciated. I've been periodically spinning my wheels on this for too long.
Regards, Robert Hardy
On Tue, 3 May 2011, Robert Hardy wrote:
On Sat, 26 Mar 2011, Michal Trojnara wrote:
Interesting. I can't see any obvious mistake in your configuration.
With these type of problems "tcpdump", "iptables -L -v", and "dmesg" are your friends.
Best regards, Michal Trojnara
I've tried several times to get stunnel to work as a transparent smtps proxy. I just tried again using stunnel 4.36 and as you suggested used tcpdump in several places, to attempt further debugging. It always just times out: both in the stunnel log file and my mail client times out too.
There are no obvious messages indicating the problem in dmesg or any logs.
I think I understand now what is happening.
Based on this config fragment and the tcpdumps on my external NIC on my mail server:
[smtps] accept = 66.51.123.229:465 connect = 216.194.67.26:25 transparent = source
stunnel is properly listening on 465, decrypting the traffic and then forwarding the traffic to my mail server on port 25 as if it was coming from the source address. That's great however my mail server seems to be replying directly to the client directly from port 25, bypassing stunnel. Obviously since the mail client is expecting SSL back and the communication to be from port 465, that isn't going to work.
I suspect I need transparent = both, but the service definition/iptables rules required are eluding me.
I tried [smtps] accept = 66.51.123.229:465 connect = 216.194.67.26:25 transparent = both
but it now complains Line 27: End of section smtps: Each service must define two endpoints
The docs on transparent = both is a single line which doesn't help much.
It isn't clear how you are supposed to merge the transparent=source and transparent=destination service defintions to make a transparent=both definition.
Can someone please provide an example for the correct service defintion for transparent = both for smtps?
If this won't fix my issue, other comments are very welcome. I'm willing to pay cash for a workable solution to this problem.
Here is a tcpdump run on my mail server's external interface:
# tcpdump -i eth0 -x -X -nn -vvv -s 1500 \ ( host fw1.pensivo.com and not port 22 and not port 993 and not port 80 )
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1500 bytes 15:13:24.817739 IP (tos 0x0, ttl 118, id 26475, offset 0, flags [none], proto: TCP (6), length: 52) 142.46.198.130.56080 > 66.51.123.229.465: S, cksum 0x8a9d (correct), 2667918792:2667918792(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK> 0x0000: 4500 0034 676b 0000 7606 ca8f 8e2e c682 E..4gk..v....... 0x0010: 4233 7be5 db10 01d1 9f05 35c8 0000 0000 B3{.......5..... 0x0020: 8002 2000 8a9d 0000 0204 05b4 0103 0302 ................ 0x0030: 0101 0402 .... 15:13:24.817844 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: TCP (6), length: 52) 66.51.123.229.465 > 142.46.198.130.56080: S, cksum 0x12f0 (incorrect (-> 0xad93), 100515312:100515312(0) ack 2667918793 win 14600 <mss 1460,nop,nop,sackOK,nop,wscale 5> 0x0000: 4500 0034 0000 4000 4006 27fb 4233 7be5 E..4..@.@.'.B3{. 0x0010: 8e2e c682 01d1 db10 05fd bdf0 9f05 35c9 ..............5. 0x0020: 8012 3908 12f0 0000 0204 05b4 0101 0402 ..9............. 0x0030: 0103 0305 .... 15:13:24.866234 IP (tos 0x0, ttl 118, id 26476, offset 0, flags [none], proto: TCP (6), length: 40) 142.46.198.130.56080 > 66.51.123.229.465: ., cksum 0xe742 (correct), 1:1(0) ack 1 win 16425 0x0000: 4500 0028 676c 0000 7606 ca9a 8e2e c682 E..(gl..v....... 0x0010: 4233 7be5 db10 01d1 9f05 35c9 05fd bdf1 B3{.......5..... 0x0020: 5010 4029 e742 0000 aaaa 0000 aaaa P.@).B........ 15:13:24.866892 IP (tos 0x0, ttl 118, id 26477, offset 0, flags [none], proto: TCP (6), length: 241) 142.46.198.130.56080 > 66.51.123.229.465: P, cksum 0x105f (correct), 1:202(201) ack 1 win 16425 0x0000: 4500 00f1 676d 0000 7606 c9d0 8e2e c682 E...gm..v....... 0x0010: 4233 7be5 db10 01d1 9f05 35c9 05fd bdf1 B3{.......5..... 0x0020: 5018 4029 105f 0000 1603 0100 c401 0000 P.@)._.......... 0x0030: c003 014d c2f6 d2dc 80e1 3e2e b135 560b ...M......>..5V. 0x0040: e7d3 6cfa af89 fa9e e27b fe9c f73a d78d ..l......{...:.. 0x0050: f038 f720 ee04 e8a7 cfde 1f3b 2949 48f5 .8.........;)IH. 0x0060: 7b69 cf8d f67d 21b8 564a 4f6f 504c c4a5 {i...}!.VJOoPL.. 0x0070: ca1a 6796 0048 00ff c00a c014 0088 0087 ..g..H.......... 0x0080: 0038 c00f c005 0084 0035 0039 c007 c009 .8.......5.9.... 0x0090: c011 c013 0045 0044 0033 0032 c00c c00e .....E.D.3.2.... 0x00a0: c002 c004 0096 0041 0004 0005 002f c008 .......A...../.. 0x00b0: c012 0016 0013 c00d c003 feff 000a 0100 ................ 0x00c0: 002f 0000 0015 0013 0000 1073 6563 7572 ./.........secur 0x00d0: 652e 7765 6263 6f6e 2e63 6100 0a00 0800 e.webcon.ca..... 0x00e0: 0600 1700 1800 1900 0b00 0201 0000 2300 ..............#. 0x00f0: 00 . 15:13:24.866997 IP (tos 0x0, ttl 64, id 35230, offset 0, flags [DF], proto: TCP (6), length: 40) 66.51.123.229.465 > 142.46.198.130.56080: ., cksum 0x12e4 (incorrect (-> 0x24b9), 1:1(0) ack 202 win 490 0x0000: 4500 0028 899e 4000 4006 9e68 4233 7be5 E..(..@.@..hB3{. 0x0010: 8e2e c682 01d1 db10 05fd bdf1 9f05 3692 ..............6. 0x0020: 5010 01ea 12e4 0000 P....... 15:13:24.871253 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: TCP (6), length: 60) 216.194.67.26.25 > 142.46.198.130.56080: S, cksum 0x70bc (incorrect (-> 0xbb1a), 104463978:104463978(0) ack 93094159 win 14480 <mss 1460,sackOK,timestamp 171455600 171455600,nop,wscale 5> 0x0000: 4500 003c 0000 4000 4006 ca2e d8c2 431a E..<..@.@.....C. 0x0010: 8e2e c682 0019 db10 0639 fe6a 058c 810f .........9.j.... 0x0020: a012 3890 70bc 0000 0204 05b4 0402 080a ..8.p........... 0x0030: 0a38 3470 0a38 3470 0103 0305 .84p.84p.... 15:13:27.877522 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: TCP (6), length: 60) 216.194.67.26.25 > 142.46.198.130.56080: S, cksum 0x70bc (incorrect (-> 0xb82a), 104463978:104463978(0) ack 93094159 win 14480 <mss 1460,sackOK,timestamp 171456352 171455600,nop,wscale 5> 0x0000: 4500 003c 0000 4000 4006 ca2e d8c2 431a E..<..@.@.....C. 0x0010: 8e2e c682 0019 db10 0639 fe6a 058c 810f .........9.j.... 0x0020: a012 3890 70bc 0000 0204 05b4 0402 080a ..8.p........... 0x0030: 0a38 3760 0a38 3470 0103 0305 .87`.84p.... 15:13:28.677559 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: TCP (6), length: 60) 216.194.67.26.25 > 142.46.198.130.56080: S, cksum 0x70bc (incorrect (-> 0xb762), 104463978:104463978(0) ack 93094159 win 14480 <mss 1460,sackOK,timestamp 171456552 171455600,nop,wscale 5> 0x0000: 4500 003c 0000 4000 4006 ca2e d8c2 431a E..<..@.@.....C. 0x0010: 8e2e c682 0019 db10 0639 fe6a 058c 810f .........9.j.... 0x0020: a012 3890 70bc 0000 0204 05b4 0402 080a ..8.p........... 0x0030: 0a38 3828 0a38 3470 0103 0305 .88(.84p.... 15:13:33.894165 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: TCP (6), length: 60) 216.194.67.26.25 > 142.46.198.130.56080: S, cksum 0x70bc (incorrect (-> 0xb24a), 104463978:104463978(0) ack 93094159 win 14480 <mss 1460,sackOK,timestamp 171457856 171455600,nop,wscale 5> 0x0000: 4500 003c 0000 4000 4006 ca2e d8c2 431a E..<..@.@.....C. 0x0010: 8e2e c682 0019 db10 0639 fe6a 058c 810f .........9.j.... 0x0020: a012 3890 70bc 0000 0204 05b4 0402 080a ..8.p........... 0x0030: 0a38 3d40 0a38 3470 0103 0305 .8=@.84p.... 15:13:35.078215 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: TCP (6), length: 60) 216.194.67.26.25 > 142.46.198.130.56080: S, cksum 0x70bc (incorrect (-> 0xb122), 104463978:104463978(0) ack 93094159 win 14480 <mss 1460,sackOK,timestamp 171458152 171455600,nop,wscale 5> 0x0000: 4500 003c 0000 4000 4006 ca2e d8c2 431a E..<..@.@.....C. 0x0010: 8e2e c682 0019 db10 0639 fe6a 058c 810f .........9.j.... 0x0020: a012 3890 70bc 0000 0204 05b4 0402 080a ..8.p........... 0x0030: 0a38 3e68 0a38 3470 0103 0305 .8>h.84p....
Regards, Robert Hardy
-
Michal Trojnara -
Robert Hardy