Jim, many thanks for your pointers. I think I left out too much of the context earlier in this thread. The problem is communicating with a mailserver behind a Symantec Raptor Firewall. This firewall has a syn-flood protection which works like this:
your server sends a SYN the firewall answers with ACK (without SYN). The ack number is that from your SYN + 1000000 your server _should_ send a RST The firewall takes this RST as a sign that the SYN sent earlier is no syn flood and responds with a SYN ACK to your original SYN, thus establishing the connection
The problem now is getting ipfilter to send this RST. This yields the problems described in my earlier posting. The term 'broken server' is used here for servers behind a Raptor Firewall.
At 11:34 AM 6/10/2003 -0400, Jim Sandoz wrote:
Sensille wrote:The problem with that is when a delayed ack is suddenly popping up, your connection is dropped. If you do this, only enable it for the host that has this anti-syn-flooding behaviour.It would be great to find a generic ruleset to allow communication with these 'broken' servers. Adding all these servers with one rule per server is impractical, because I see several dozens of them. On the other hand, risking to reset a good connection is even worse.
the problem is not "broken servers". any time a packet is dropped enroute, packets arrive out of sequence at the receiver. you can't control this. the generic ruleset you need is to reply with reset *only* to SYN packets. otherwise you're just going to be killing off valid connections via the return-rst, as you have found out.
read the problem description and example here: http://marc.theaimsgroup.com/?l=ipfilter&m=97234715121908&w=2
and check the FAQ, here: http://www.phildev.net/ipf/IPFprob.html#9
jim
