Re: PF drops tcp packets from a machine with Gentoo linux kernel 2.6.18

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

[view in full thread]

From: Otto Moerbeek <otto@...>

To: Tim Kuhlman <tim.kuhlman@...>

Cc: <misc@...>

Subject: Re: PF drops tcp packets from a machine with Gentoo linux kernel 2.6.18

Date: Wednesday, February 14, 2007 - 3:54 pm

On Wed, 14 Feb 2007, Tim Kuhlman wrote:

[snip]

> So what is happening? It seems to me that either pf is broken or his linux

quoted text

> kernel is broken and pf is catching it. Any ideas as to which is the cause?
>
> One other point I needs some clarification on, in my searching around I did
> find an article saying that you need the "flags S/SA" everytime you use keep
> state for tcp connections in your firewall rules. This didn't seem right to
> me but I tried it anyway just to see and it had no affect. What is the final
> word on this, should you always use "flags S/SA"?

Not always, but very often. The main rule is to make sure that the
packet creating the state is not a packet of an already established
connection, but a packet creating the connection. Creating the state
from the beginning allows pf to get the info about the window scaling
and other tcp options used.

Using flags S/SA keep state is the easiest way to achieve that. Note
that on current, this is the default.

-Otto

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

PF drops tcp packets from a machine with Gentoo linux kernel..., Tim Kuhlman, (Wed Feb 14, 2:47 pm)

Re: PF drops tcp packets from a machine with Gentoo linux ke..., Stuart Henderson, (Wed Feb 14, 4:29 pm)

Re: PF drops tcp packets from a machine with Gentoo linux ke..., Tim Kuhlman, (Thu Feb 15, 12:07 pm)

Re: PF drops tcp packets from a machine with Gentoo linux ke..., Darren Spruell, (Thu Feb 15, 1:12 pm)

Re: PF drops tcp packets from a machine with Gentoo linux ke..., Tim Kuhlman, (Thu Feb 15, 2:01 pm)

Re: PF drops tcp packets from a machine with Gentoo linux ke..., Tim Kuhlman, (Thu Feb 15, 1:06 pm)

Re: PF drops tcp packets from a machine with Gentoo linux ke..., Otto Moerbeek, (Wed Feb 14, 3:54 pm)

Re: PF drops tcp packets from a machine with Gentoo linux ke..., Darren Spruell, (Wed Feb 14, 3:11 pm)

Re: PF drops tcp packets from a machine with Gentoo linux ke..., Stuart Henderson, (Wed Feb 14, 4:27 pm)

Re: PF drops tcp packets from a machine with Gentoo linux ke..., Tim Kuhlman, (Wed Feb 14, 4:08 pm)


linux-kernel:
Andrew Morton	2.6.23-rc3-mm1
Tarkan Erimer	Re: Dual-Licensing Linux Kernel with GPL V2 and GPL V3
Yinghai Lu	Re: [PATCH RFC] x86: check for and defend against BIOS memory corruption
Frederik Deweerdt	[-mm patch] remove tcp header from tcp_v4_check (take #2)
openbsd-misc:

linux-netdev:
David Miller	[GIT]: Networking
Jarek Poplawski	Re: [PATCH] pkt_sched: Destroy gen estimators under rtnl_lock().
Gerrit Renker	[PATCH 27/37] dccp: Integration of dynamic feature activation - part 2 (server side)
Herbert Xu	Re: [PATCH 2/3][NET_BATCH] net core use batching
git:

Re: PF drops tcp packets from a machine with Gentoo linux kernel 2.6.18

Online users