Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 5 Nov 2007 11:01:00 -0500 (EST)
From:      Gardner Bell <>
To:        Russell Fulton <>,
Subject:   Re: IPFW Problem
Message-ID:  <>
In-Reply-To: <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help

--- Russell Fulton <> wrote:

> wrote:
> > Hmm, I may well be missing something very obvious but rule 01000
> seems
> > to be doing exactly what it says it will.  Are you sure you meant
> "deny"
> > rather than "allow" on rule 01000 ?
> Note that it is immediately after the check state rule.  What the
> Gardner intended was to drop established tcp traffic that was not
> part
> of a session for which there was already state.  In fact this rule is
> redundant since (assuming I've read the rule set correctly) such
> traffic
> will get caught by the final deny rule.
> What is odd about this problem is that it appears to be a timeout
> problem and thus probably not related to the firewall at all.  To me
> it
> seems that the initial SYN packet is getting lost and the retry gets
> through, hence the delay.
> I suggested to Gardner that he log all dropped packets so he can see
> if
> it really is the firewall which is causing the problem.
> Russell

Removing rule 01000 seems to have fixed the timeout issues.  Thank you.


Want to link to this message? Use this URL: <>