[fw-wiz] TCP issue with PF & SACK

From: Mark Renouf (mark_at_tweakt.net)
Date: 04/23/04

  • Next message: Carric Dooley: "Re: [fw-wiz] Stanford break in"
    To: firewall-wizards@honor.icsalabs.com
    Date: Fri, 23 Apr 2004 00:14:04 -0400
    
    

    Greetings... long time lurker, first time poster...

    I have here an OpenBSD 3.4 PF/NAT in front of my cablemodem acting as
    traffic cop. I recently upgraded from 2.9 (with ipf). Now, for the most
    part I understand the rule syntax and have effectively translated my
    ruleset over, things are working ok...

    With one exception...

    I've noticed... certain hosts, I cannot establish a TCP connection with.
    Most obvious are http connections, but I'm sure it would probably occur
    with any tcp based service on those hosts.

    Basically, my firewall receives the SYN/ACK but doesn't "see" it. By
    that I mean, it's never acknowledged, state tables are not affected,
    it's as if it was never sent. But it *is* being received (on the wire at
    least). tcpdump provides proof of that.

    So far, the pattern seems to be remote hosts which support SACK (RFC
    2018). All the hosts which my firewall fails to connect to, are
    returning the SACK Permitted option in the S/A packet.

    Anyone have any hints? Something to check/add to my ruleset? Maybe it's
    a sysctl that needs to be enabled?

    I've tried with 'net.inet.tcp.sack' both enabled and disabled.

    I checked the 3.5 changelog and saw this:

    "Reverse the enable logic for TCP selective acks, so TCP_SACK_DISABLE
    becomes TCP_SACK_ENABLE"

    Not sure if that's relevant...

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Carric Dooley: "Re: [fw-wiz] Stanford break in"