[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Re: IP Filter 3.4.20
From:       Aleksandar Milivojevic <alex () hinet ! hr>
Date:       2001-07-31 12:48:37
[Download RAW message or body]

Ronald Florence (ron@18james.com) wrote:
> Aleksandar Milivojevic writes:
>   
>   If I have file transfer (FTP or HTTP) and if donwnload speed is more
>   then 100 KB/sec, connection breaks.   [...] 
> 
> Try modifying your ipf.conf to substitute or add the following:
> 
>   pass out quick on iprb0 proto tcp all flags AR
>   block in on iprb0 proto tcp all
>   block return-rst in on iprb0 proto tcp all flags S
> 
> The first rule lets out the RST packets.
> 
> The second rule blocks tcp stray tcp (out-of-sequence ACKs).
> 
> The third rule sends RST on wannabe tcp connections.
> 
> I suspect your long fast ftp or http transfers are breaking because
> your rules are sending RST to out-of-sequence ACKs.  It doesn't happen
> on slow speed transfers because the ACKs don't get out of whack.

Thanks all for help.  I fixed my ipf.conf so that RST is sent back
only if S flag is set, as you all sugested.

Another (newbie) question, is it smart to leave UDP part in my rules
unchanged:

    block return-icmp(port-unr) in  log proto udp all

In other words, could this affect UDP connections when UDP packets
arrive out-of-order?

-- 
Aleksandar Milivojeviæ <alex@hinet.hr>
Opinions expressed herein are my own.
Statements included here may be fiction rather than truth.

[prev in list] [next in list] [prev in thread] [next in thread]