Date: Tue, 20 Mar 2007 18:59:38 +0100 From: Max Laier <max@love2party.net> To: freebsd-pf@freebsd.org Cc: WAYNE KING <king.812@osu.edu> Subject: Re: problem with linux kernel 2.16.18.2 and packet filter Message-ID: <200703201859.44947.max@love2party.net> In-Reply-To: <2a1c4c62a19f27.2a19f272a1c4c6@osu.edu> References: <2a1c4c62a19f27.2a19f272a1c4c6@osu.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart8114223.1r5BisRvIc Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Tuesday 20 March 2007 18:42, WAYNE KING wrote: > Hello list, My subnet at Ohio State is running a BSD firewall with > packet filter. It works great, but I just encountered a weird problem > with the linux 2.16.18.2 kernel and packet filter. When the firewall > was on I could do absolutely nothing via the web; every page would > hang. As soon as I turned the firewall off, all connections worked > fine. Apparently this is a known bug? and changing the > tcp_window_scaling setting in the kernel to 0 fixes it. Anyway I was > hoping that someone could explain to me why that setting might cause a > problem with packet filter. It irritated me for weeks. By the way I'm > using OpenSuse 10.2 --never had it up to and including Suse 10.1. I'm > not sure if this is a problem in general with that kernel or with some > distro particular. I'm running fedora core 6 on another computer and > that works fine. I just discovered this fix so I haven't checked what > kernel that has installed (fedora core 6) or what the > tcp_window_scaling is by default. The following com mand fixed it on my > computer (openSuse 10.2) > > echo 0 > /proc/sys/net/ipv4/tcp_window_scaling > > Any quick insights just for my own education? Could you enable misc logging for pf (pfctl -xm) and watch the console=20 while you try to connect to the net with the affected Linux box? Also, window scaling related problems are usually caused by keep state=20 rules that do not include "flags S/SA". Under some circumstances you=20 could get pf to install a state entry for which it has not seen the=20 initial SYN and thus it is not informed about the negotiated scalling=20 factor and breaks the connection later. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart8114223.1r5BisRvIc Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQBGACEQXyyEoT62BG0RAneBAJ9qKlnZ+aJsGtyJt/gWxpdRj0QdzwCfcSvv 2HXQhIn5jkDB/ePjYnRspe0= =xTPr -----END PGP SIGNATURE----- --nextPart8114223.1r5BisRvIc--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200703201859.44947.max>