Hi Simon, On Tue, May 13, 2014 at 10:59:40PM +0800, k simon wrote: > Hi,Willy, > > >Oh and BTW, are you running with PF ? I have some old memories of PF > >abusively randomizing sequence numbers and preventing new connections > >from being initiated using a same source port from the came client. It > >was so odd that I had to disable it on my home reverse-proxy running > >OpenBSD! That is easy to test, simply run "pfctl -d" to disable it and > >test again. > > > > I have the similar trouble as John. But I used ipfw instead of pf, as > of haproxy can not bind mss size on FreeBSD, maybe use pf's scrub rule > is a good idea. > BTW, pf has a state named sloopy, it does not check sequence numbers.
It's not a matter of being sloppy or not, but of being excessive in that it does not even accept valid packets generated by its own TCP stack! I think that some important transitions are still missing from its state machine. I remember having reported that issue for the first time almost 10 years ago, when comparing Netfilter in 2.4.0-pre-something with PF on OpenBSD 3. I don't know what else to say unfortunately, if people believe that a firewall should block valid packets "just in case", at least there's no place for such firewalls on my nor my customers' servers! Cheers, Willy