IPFW Problem

Gardner Bell gbell72 at rogers.com
Mon Nov 5 08:01:08 PST 2007


--- Russell Fulton <r.fulton at auckland.ac.nz> wrote:

> 
> 
> john.w.court at nokia.com wrote:
> > Hmm, I may well be missing something very obvious but rule 01000
> seems
> > to be doing exactly what it says it will.  Are you sure you meant
> "deny"
> > rather than "allow" on rule 01000 ?
> 
> Note that it is immediately after the check state rule.  What the
> Gardner intended was to drop established tcp traffic that was not
> part
> of a session for which there was already state.  In fact this rule is
> redundant since (assuming I've read the rule set correctly) such
> traffic
> will get caught by the final deny rule.
> 
> What is odd about this problem is that it appears to be a timeout
> problem and thus probably not related to the firewall at all.  To me
> it
> seems that the initial SYN packet is getting lost and the retry gets
> through, hence the delay.
> 
> I suggested to Gardner that he log all dropped packets so he can see
> if
> it really is the firewall which is causing the problem.
> 
> Russell
> 

Removing rule 01000 seems to have fixed the timeout issues.  Thank you.

Gardner



More information about the freebsd-ipfw mailing list