On 11/16/2005 09:49:12 PM, Jon Hart wrote:
Hello,
This may be a pf issue, this may be an OpenBSD issue or this may be
a client issue, so let me apologize in advance.
Let me apologize in advance: when all you've got is a hammer,
everything looks like a nail. I keep harping on the 2MSL TCP
rule -- reuse of source IP/port dest IP/port quad. So,
could be a TCP(ish) issue, although I don't feel entirely
qualified to claim this.
Seems to me like you could be burning through all the possible
source ports the client wants to use. After that the firewall
sees the TCP violation and does not let the traffic through,
seeing the reuse as a spoof attempt. When the FIN-WAITs expire
then you've got another bunch of "quads" to use and things rip
again for a while until you again run out.
The setup is fairly simply -- a debian machine hanging off of each of
two interfaces on an OpenBSD -current box from 11/8 running pf.
My test is simple. While on $CLIENT_NET:
while (true); do lynx -dump http://host.on.server.net:12345; date;
done
Things spin up fast and go quickly for some number of seconds spewing
tens/hundreds of connections and then subsequent connections hang --
the
client sits in SYN_SENT and the server sits there with several hundred
connections in TIME_WAIT. Exactly 45 seconds later, things come back
to
life. In the time 0s to time 45s, you can see the TIME_WAITs slowly
disappear, and then at 45s the loop comes back to life and the
connections rip through once again. Some number of seconds later,
things freeze again and hang for 45s. Both systems seem completely
usable -- I can ssh/to from them and do whatever I please.
Karl <[EMAIL PROTECTED]>
Free Software: "You don't pay back, you pay forward."
-- Robert A. Heinlein
