Firewall Wizards mailing list archives
Re: TCP issue with PF & SACK
From: "Paul D. Robertson" <paul () compuwar net>
Date: Sun, 25 Apr 2004 09:46:22 -0400 (EDT)
On Fri, 23 Apr 2004, Mark Renouf wrote:
Anyone have any hints? Something to check/add to my ruleset? Maybe it's a sysctl that needs to be enabled?
Log what you're denying, and see what gets logged?
I've tried with 'net.inet.tcp.sack' both enabled and disabled. I checked the 3.5 changelog and saw this: "Reverse the enable logic for TCP selective acks, so TCP_SACK_DISABLE becomes TCP_SACK_ENABLE" Not sure if that's relevant...
I find it difficult to believe that PF doesn't handle state with selective acks on. Double-check your rulesets for TCP flag options. TCP options might be set- you might want to force allowing those for the particular rulesets, and see if that helps first, if not, you might want to see if TCP SYN proxies help Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- TCP issue with PF & SACK Mark Renouf (Apr 23)
- Re: TCP issue with PF & SACK Paul D. Robertson (Apr 25)
- Re: TCP issue with PF & SACK Mike Frantzen (Apr 26)
- Re: TCP issue with PF & SACK Paul D. Robertson (Apr 25)