On 2/22/07, RW <[EMAIL PROTECTED]> wrote:
On Wed, 21 Feb 2007 19:38:39 +0100
J65nko <[EMAIL PROTECTED]> wrote:
> For keeping state on TCP connections you should only create state on
> the first packet of the 3 way TCP handshake. Using "flags S/SA" will
> ensure this. This will prevent problems with TCP windows scaling..
Why? Creating a state entry causes subsequent packets, in the same tcp
connection, to bypass the rules altogether.
The OP did not keep state on TCP connections using "flags S/SA". That
can cause problems for TCP window scaling (defined in RFC 1323) and
result in stalling connections.
From http://undeadly.org/cgi?action=article&sid=20060928081238 under
"Create TCP states on the initial SYN packet"
----------- quote ------------------------------
pf does know about window scaling and supports it. However, the
prerequisite is that you create state on the initial SYN, so pf can
associate the first two packets of the handshake with the state entry.
Since the entire negotiation of the window scaling factors takes place
only in these two packets, there is no reliable way to deduce the
factors after the handshake.
Window scaling wasn't widely used in the past, but this is changing
rapidly. Just recently, Linux started using window scaling by default.
If you experience stalling connections, especially when problems are
limited to certain combinations of hosts, and you see 'BAD state'
messages related to these connections logged, verify that you're
really creating states on the initial packet of a connection.
---------- end of quote -------------------
To prevent these TCP windows scaling issues, the current pf version of
OpenBSD-4.1 BETA defaults to "flags S/SA keep state" for TCP pass
rules. Don't know when this feature will make it into FreeBSD ;)
Other issues the OP should look into are the optimizing tips given in
email@example.com mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"