John, ignore barryc's fragment explanation. This has nothing to do with fragments, these are out-of-window packets that trigger your return-rst rule. Ipfilter's state code does rather strict window checking.
Try to get rid of the return-rst rule. A blocked (and silently dropped) out-of-window packet should get resent, IIRC, hopefully within the correct window bounds. With return-rst, you're explicitly asking to terminate the connection. Good luck, chakl > Examination of detailed traces of some failing FTP connections (taken before > implementing the suggestion to send RST only for unwanted SYN packets, which > has at least avoided connections being dropped randomly) seem to show the > RST happens when the FTP server sends a packet which is one byte larger than > the (temporarily reduced) window size just set by the system running the > mirroring script. A quick look at the TCP RFC suggests that packets are > deemed "in window" as long as they start within the declared window, even if > they "hang over the end", but that seems a strong contender as the cause of > the RSTs from IP Filter in the FTP case. (Sender - FTP server - running > Netware, receiver running the FTP mirror script is Solaris 2.6) > > [There was actually one case where the receiver set a small window and > received a one-byte-larger packet without sending a RST, but an ACK > enlarging the window was logged as being sent about a millisecond later > after the incoming packet and I suspect IP Filter may have seen the window > being enlarged before seeing the packet that would have overlapped the end > of the window. Or maye the packet size is a coincidental red herring...] > > John Line -- Olaf Schreck - Syscall Network Solutions AG, Berlin
