Re: TCP issue with PF & SACK

["Paul D. Robertson" <paul () compuwar net>]

On Fri, 23 Apr 2004, Mark Renouf wrote:

> Anyone have any hints? Something to check/add to my ruleset? Maybe it's
> a sysctl that needs to be enabled?

Log what you're denying, and see what gets logged?

> I've tried with 'net.inet.tcp.sack' both enabled and disabled.
>
> I checked the 3.5 changelog and saw this:
>
> "Reverse the enable logic for TCP selective acks, so TCP_SACK_DISABLE
> becomes TCP_SACK_ENABLE"
>
> Not sure if that's relevant...

I find it difficult to believe that PF doesn't handle state with selective
acks on.  Double-check your rulesets for TCP flag options.

TCP options might be set- you might want to force allowing those for
the particular rulesets, and see if that helps first, if not, you might
want to see if TCP SYN proxies help

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards