|
|||
IPF: Packets Out Of Window
I'm having problems with receiving some mails on a QMail box. To be more specific, only mails with rather larger attachments (+500K). This appears to be a firewall issue, because when the firewall (IPF) is off, the message is received.
I kept track of the blocked packages and saw the following packet being blocked during such SMTP transfer: Code:
09/05/2008 12:54:23.973302 xl1 @0:28 b 111.111.11.11,58211 -> 222.222.22.22,25 PR tcp len 20 1500 -AP IN OOW I read that this is a IPF issue, which might be fixed in a later versions (running IPF 4.1.8 (416) now). freebsd-update didn't offer IPF updates and I'm not feeling like I'm going to upgrade that server to a newer FreeBSD (running 6.0 now). What do you suggest, is there a fix without doing updates? |
|
|||
See http://undeadly.org/cgi?action=artic...20060928081238 section Create TCP states on the initial SYN packet.
Although for pf, this section explains why it is important to keep state on the first packet of the three-way TCP handshake. Doing this prevents problems with TCP window scaling. IIRC FreeBSD has a sysctl to disable this window scaling as defined in RFC 1323.On OpenBSD (don't have access to a FBSD box) it is called Code:
net.inet.tcp.rfc1323=1
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
Thanks, that seems to solve the problems of packets getting out of window.
|
|
|||
If disabling rfc1323 solves it then your next step would be to revise your ipf ruleset and only create state on the initial TCP packet by using
Code:
flags S/SA
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
I re-enabled the rfc1323 option again and adapted ipf.rules such that I had:
Code:
pass in quick on xl1 proto tcp from any to any port = 25 flags S/SA keep state |
|
|||
I never used ipf, and I don't know whether ipf actually is capable of dealing with TCP windows scaling. I only know for sure that pf knows how to deal with this
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
Quote:
I asking because I have read, on openbsd-misc, about similar problem with pf and Microsoft servers .... |
|
|||
It doesn't happen with all mails with larger attachments. It seems to depend on the server its communicating with.
|
|
|||
Than it is obviously server issue and not yours. (There are to much crap out there ...)
|
|
|||
If the problem can be solved by disabling TCP windows scaling as OP mentioned in http://daemonforums.org/showpost.php?p=3420&postcount=3 the problem is either caused by ipf or an intermediate router/firewall not understand this scaling mechanism.
Microsoft Vista has this scaling mechanism enabled by default. That is why many people experience these kind of problems only after the launch of Vista. For some details about TCP window scaling, see http://en.wikipedia.org/wiki/TCP_window_scale_option
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
Tags |
ipf, oow, tcp window scaling |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
OpenBSD, vpnc and packets forwarding problems | Tritone | OpenBSD General | 3 | 2nd July 2009 09:59 PM |
window manager troubles | techmarks | FreeBSD General | 3 | 29th September 2008 10:19 PM |
Redirecting ESP packets | ales | OpenBSD Security | 2 | 15th June 2008 09:13 PM |
Windomaker and NeXT-like window managers | harisman | FreeBSD Ports and Packages | 3 | 9th June 2008 01:22 AM |
pfsense wireless AP - lost packets | AndreyS | FreeBSD General | 0 | 7th June 2008 05:38 PM |