From owner-freebsd-stable Mon Dec 27 2:41:27 1999 Delivered-To: freebsd-stable@freebsd.org Received: from me.ru (shell.me.ru [194.247.134.140]) by hub.freebsd.org (Postfix) with ESMTP id 8990C14FAD for ; Mon, 27 Dec 1999 02:41:05 -0800 (PST) (envelope-from ilya@zhurnal.ru) Received: from [194.247.147.206] (HELO webmaster.zhurnal.ru) by me.ru (CommuniGate Pro SMTP 3.1) with ESMTP id 266839 for stable@freebsd.org; Mon, 27 Dec 1999 13:41:03 +0300 Date: Mon, 27 Dec 1999 13:43:30 +0300 From: Ilya Obshadko X-Mailer: The Bat! (v1.36) S/N FE0A Reply-To: Ilya Obshadko Organization: Zhurnal.RU X-Priority: 3 (Normal) Message-ID: <10571.991227@zhurnal.ru> To: stable@freebsd.org Subject: IPFILTER: problem with denied ACK packets Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hello, Here's a strange problem with IPFILTER. Rulefile looks like this: block in log on de0 all pass in quick on de0 proto icmp from any to any pass out quick on de0 proto icmp from any to any pass out quick on de0 proto tcp from OUR_NET to any keep state keep frags pass out quick on de0 proto udp from OUR_NET to any keep state keep frags As far as I know, this set of rules allows all outbound traffic without any restrictions. But, when I'm trying to send a large amount of data (i.e. file attach) via SMTP, sending stops after about 10 kbytes. Both tcpdump and ipmon shows denied ACK tcp packets that SMTP server sends back to my machine. Seems like those ACK packets are not counted as a part of "keep state" rule by IPFILTER. The problem can be solved by explicit rule: pass in quick on de0 proto tcp from MY_SMTP_SERVER port = smtp to MY_MACHINE But this doesn't seem to be a secure and reliable way. Even more, if I enable, by the way, inbound ftp on any of machines in our net and try to download any file from outside, the sympthoms are exactly the same: transfer stops after ~10 kbytes, tcpdump & ipmon says about denied ACK packets etc... Best regards, Ilya mailto:ilya@zhurnal.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message