Firewall Wizards mailing list archives
Re: TCP issue with PF & SACK
From: Mike Frantzen <frantzen () w4g org>
Date: Sun, 25 Apr 2004 22:01:12 -0700
I find it difficult to believe that PF doesn't handle state with selective acks on. Double-check your rulesets for TCP flag options.
SACK is safe.
TCP options might be set- you might want to force allowing those for the particular rulesets, and see if that helps first, if not, you might want to see if TCP SYN proxies help
I think it was a reaction between TCP timestamp modulation of the "reassemble tcp" scrub opt, Window's NOP timestamps and linux. But I'm debugging by guesswork here. It was fixed in rev 1.76 of pf_norm.c on December 18. I can't remember if that was before or after 3.4 was tagged for release. .mike frantzen@(nfr.com | cvs.openbsd.org | w4g.org) PGP: CC A4 E2 E8 0C F8 42 F0 BC 26 85 5B 6F 9E ED 28 _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- TCP issue with PF & SACK Mark Renouf (Apr 23)
- Re: TCP issue with PF & SACK Paul D. Robertson (Apr 25)
- Re: TCP issue with PF & SACK Mike Frantzen (Apr 26)
- Re: TCP issue with PF & SACK Paul D. Robertson (Apr 25)