[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Linux kernal 2.6.7-1 and tcp window scaling



On Sep 9, 2004, at 1:11 PM, Daniel Hartmeier wrote:

You'll have to review your ruleset. Why is it passing a SYN from
131.106.1.51 to 131.106.3.1 port 25 out on rl0 without creating state?
Either you don't have a tight default block policy (so the packet, not
matching any rule, might pass by default, not creating state), or you
have a matching rule (find it) that has no 'keep state' option.

Absolutely correct. "block in log all" rather than "block log all"; the outbound traffic on rl0 was not regulated. Once regulated everything else fell apart.



Why does rule 43 not have 'flags S/SA'? If it had, you'd probably have spotted the breakage sooner, as that would lead to blocked (and logged) connections, not stalled connections after handshake.

I suggest

  a) use a default block rule that matches everything on at least
     rl0 and fxp0
  b) use 'log' on all block rules (you can relax that after debugging)
  c) use 'keep state' and 'flags S/SA' on all 'pass proto tcp' rules

I've rewritten my rules carefully and they seem to be working now for all traffic, window scaling or no. Some things with existing states are getting blocked but that should change as the states expire.


Thanks for all your help!

Regards,

Tony Del Porto
SysAdmin, Conference Network Coordinator
USENIX Association
2560 9th Street, Suite 215, Berkeley CA 94710
[email protected] | www.usenix.org | www.sage.org