On 11/17/05, Jon Hart <[EMAIL PROTECTED]> wrote: > On Thu, Nov 17, 2005 at 03:21:01PM +0000, Karl O. Pinc wrote: >> Let me apologize in advance: when all you've got is a hammer, >> everything looks like a nail. I keep harping on the 2MSL TCP >> rule -- reuse of source IP/port dest IP/port quad. So, >> could be a TCP(ish) issue, although I don't feel entirely >> qualified to claim this.
I think this is a key point -- the client is removing the quad from TIME-WAIT and sees it as eligible for reuse, meanwhile the firewall and/or the server still has this closed session state table entry in a *WAIT state. > the client sends 3 syns in rapid succession from this source port > and the firewall doesn't allow them through. . . . > Now my problem is figuring out how to deal with this situation. > I believe the firewall is doing what it should but others may argue it > is being too strict. I could also just widen the defaut port range on > the clients, but that doesn't strike me as the best solution. If 'pf' is blocking new SYN packets because of an existing FIN-WAIT table entry for the same quad, that may be proper behavior, yet "too strict". My TCP is a little rusty, but would it be reasonable for the "aggressive" optimization to not only adjust timeouts, but also change engine behavior so a newly received SYN, if it matches a state entry which is in FIN-WAIT or CLOSED state, to reset that state entry back into "first"? Kevin Kadow