Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 5 Nov 2007 11:01:00 -0500 (EST)
From:      Gardner Bell <gbell72@rogers.com>
To:        Russell Fulton <r.fulton@auckland.ac.nz>, john.w.court@nokia.com
Cc:        freebsd-ipfw@freebsd.org
Subject:   Re: IPFW Problem
Message-ID:  <658878.58430.qm@web88002.mail.re2.yahoo.com>
In-Reply-To: <472E5A58.5090707@auckland.ac.nz>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help

--- Russell Fulton <r.fulton@auckland.ac.nz> wrote:

> 
> 
> john.w.court@nokia.com wrote:
> > Hmm, I may well be missing something very obvious but rule 01000
> seems
> > to be doing exactly what it says it will.  Are you sure you meant
> "deny"
> > rather than "allow" on rule 01000 ?
> 
> Note that it is immediately after the check state rule.  What the
> Gardner intended was to drop established tcp traffic that was not
> part
> of a session for which there was already state.  In fact this rule is
> redundant since (assuming I've read the rule set correctly) such
> traffic
> will get caught by the final deny rule.
> 
> What is odd about this problem is that it appears to be a timeout
> problem and thus probably not related to the firewall at all.  To me
> it
> seems that the initial SYN packet is getting lost and the retry gets
> through, hence the delay.
> 
> I suggested to Gardner that he log all dropped packets so he can see
> if
> it really is the firewall which is causing the problem.
> 
> Russell
> 

Removing rule 01000 seems to have fixed the timeout issues.  Thank you.

Gardner




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?658878.58430.qm>