Date: Mon, 27 Dec 1999 13:43:30 +0300 From: Ilya Obshadko <ilya@zhurnal.ru> To: stable@freebsd.org Subject: IPFILTER: problem with denied ACK packets Message-ID: <10571.991227@zhurnal.ru>
next in thread | raw e-mail | index | archive | help
Hello, Here's a strange problem with IPFILTER. Rulefile looks like this: block in log on de0 all pass in quick on de0 proto icmp from any to any pass out quick on de0 proto icmp from any to any pass out quick on de0 proto tcp from OUR_NET to any keep state keep frags pass out quick on de0 proto udp from OUR_NET to any keep state keep frags As far as I know, this set of rules allows all outbound traffic without any restrictions. But, when I'm trying to send a large amount of data (i.e. file attach) via SMTP, sending stops after about 10 kbytes. Both tcpdump and ipmon shows denied ACK tcp packets that SMTP server sends back to my machine. Seems like those ACK packets are not counted as a part of "keep state" rule by IPFILTER. The problem can be solved by explicit rule: pass in quick on de0 proto tcp from MY_SMTP_SERVER port = smtp to MY_MACHINE But this doesn't seem to be a secure and reliable way. Even more, if I enable, by the way, inbound ftp on any of machines in our net and try to download any file from outside, the sympthoms are exactly the same: transfer stops after ~10 kbytes, tcpdump & ipmon says about denied ACK packets etc... Best regards, Ilya mailto:ilya@zhurnal.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?10571.991227>