[fw-wiz] TCP issue with PF & SACK
From: Mark Renouf (mark_at_tweakt.net)
To: firstname.lastname@example.org Date: Fri, 23 Apr 2004 00:14:04 -0400
Greetings... long time lurker, first time poster...
I have here an OpenBSD 3.4 PF/NAT in front of my cablemodem acting as
traffic cop. I recently upgraded from 2.9 (with ipf). Now, for the most
part I understand the rule syntax and have effectively translated my
ruleset over, things are working ok...
With one exception...
I've noticed... certain hosts, I cannot establish a TCP connection with.
Most obvious are http connections, but I'm sure it would probably occur
with any tcp based service on those hosts.
Basically, my firewall receives the SYN/ACK but doesn't "see" it. By
that I mean, it's never acknowledged, state tables are not affected,
it's as if it was never sent. But it *is* being received (on the wire at
least). tcpdump provides proof of that.
So far, the pattern seems to be remote hosts which support SACK (RFC
2018). All the hosts which my firewall fails to connect to, are
returning the SACK Permitted option in the S/A packet.
Anyone have any hints? Something to check/add to my ruleset? Maybe it's
a sysctl that needs to be enabled?
I've tried with 'net.inet.tcp.sack' both enabled and disabled.
I checked the 3.5 changelog and saw this:
"Reverse the enable logic for TCP selective acks, so TCP_SACK_DISABLE
Not sure if that's relevant...
firewall-wizards mailing list