Date: Mon, 5 Nov 2007 11:01:00 -0500 (EST) From: Gardner Bell <gbell72@rogers.com> To: Russell Fulton <r.fulton@auckland.ac.nz>, john.w.court@nokia.com Cc: freebsd-ipfw@freebsd.org Subject: Re: IPFW Problem Message-ID: <658878.58430.qm@web88002.mail.re2.yahoo.com> In-Reply-To: <472E5A58.5090707@auckland.ac.nz>
next in thread | previous in thread | raw e-mail | index | archive | help
--- Russell Fulton <r.fulton@auckland.ac.nz> wrote: > > > john.w.court@nokia.com wrote: > > Hmm, I may well be missing something very obvious but rule 01000 > seems > > to be doing exactly what it says it will. Are you sure you meant > "deny" > > rather than "allow" on rule 01000 ? > > Note that it is immediately after the check state rule. What the > Gardner intended was to drop established tcp traffic that was not > part > of a session for which there was already state. In fact this rule is > redundant since (assuming I've read the rule set correctly) such > traffic > will get caught by the final deny rule. > > What is odd about this problem is that it appears to be a timeout > problem and thus probably not related to the firewall at all. To me > it > seems that the initial SYN packet is getting lost and the retry gets > through, hence the delay. > > I suggested to Gardner that he log all dropped packets so he can see > if > it really is the firewall which is causing the problem. > > Russell > Removing rule 01000 seems to have fixed the timeout issues. Thank you. Gardner
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?658878.58430.qm>