Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: TCP issue with PF & SACK

From: Mike Frantzen <frantzen () w4g org>
Date: Sun, 25 Apr 2004 22:01:12 -0700
I find it difficult to believe that PF doesn't handle state with selective
acks on.  Double-check your rulesets for TCP flag options.


SACK is safe.


TCP options might be set- you might want to force allowing those for
the particular rulesets, and see if that helps first, if not, you might
want to see if TCP SYN proxies help


I think it was a reaction between TCP timestamp modulation of the
"reassemble tcp" scrub opt, Window's NOP timestamps and linux.  But I'm
debugging by guesswork here.  It was fixed in rev 1.76 of pf_norm.c on
December 18.  I can't remember if that was before or after 3.4 was
tagged for release.

.mike
frantzen@(nfr.com | cvs.openbsd.org | w4g.org)
PGP:  CC A4 E2 E8 0C F8 42 F0  BC 26 85 5B 6F 9E ED 28
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: