[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Linux kernal 2.6.7-1 and tcp window scaling
On Sep 9, 2004, at 1:11 PM, Daniel Hartmeier wrote:
You'll have to review your ruleset. Why is it passing a SYN from
184.108.40.206 to 220.127.116.11 port 25 out on rl0 without creating state?
Either you don't have a tight default block policy (so the packet, not
matching any rule, might pass by default, not creating state), or you
have a matching rule (find it) that has no 'keep state' option.
Absolutely correct. "block in log all" rather than "block log all"; the
outbound traffic on rl0 was not regulated. Once regulated everything
else fell apart.
Why does rule 43 not have 'flags S/SA'? If it had, you'd probably have
spotted the breakage sooner, as that would lead to blocked (and logged)
connections, not stalled connections after handshake.
a) use a default block rule that matches everything on at least
rl0 and fxp0
b) use 'log' on all block rules (you can relax that after debugging)
c) use 'keep state' and 'flags S/SA' on all 'pass proto tcp' rules
I've rewritten my rules carefully and they seem to be working now for
all traffic, window scaling or no. Some things with existing states are
getting blocked but that should change as the states expire.
Thanks for all your help!
Tony Del Porto
SysAdmin, Conference Network Coordinator
2560 9th Street, Suite 215, Berkeley CA 94710
[email protected] | www.usenix.org | www.sage.org