IPFW Problem
Gardner Bell
gbell72 at rogers.com
Mon Nov 5 08:01:08 PST 2007
--- Russell Fulton <r.fulton at auckland.ac.nz> wrote:
>
>
> john.w.court at nokia.com wrote:
> > Hmm, I may well be missing something very obvious but rule 01000
> seems
> > to be doing exactly what it says it will. Are you sure you meant
> "deny"
> > rather than "allow" on rule 01000 ?
>
> Note that it is immediately after the check state rule. What the
> Gardner intended was to drop established tcp traffic that was not
> part
> of a session for which there was already state. In fact this rule is
> redundant since (assuming I've read the rule set correctly) such
> traffic
> will get caught by the final deny rule.
>
> What is odd about this problem is that it appears to be a timeout
> problem and thus probably not related to the firewall at all. To me
> it
> seems that the initial SYN packet is getting lost and the retry gets
> through, hence the delay.
>
> I suggested to Gardner that he log all dropped packets so he can see
> if
> it really is the firewall which is causing the problem.
>
> Russell
>
Removing rule 01000 seems to have fixed the timeout issues. Thank you.
Gardner
More information about the freebsd-ipfw
mailing list