In some email I received from Sensille, sie wrote: > Jim, many thanks for your pointers. I think I left out too > much of the context earlier in this thread. > The problem is communicating with a mailserver behind a > Symantec Raptor Firewall. This firewall has a syn-flood > protection which works like this: > > your server sends a SYN > the firewall answers with ACK (without SYN). The ack number > is that from your SYN + 1000000 > your server _should_ send a RST > The firewall takes this RST as a sign that the SYN sent > earlier is no syn flood and responds with a SYN ACK to > your original SYN, thus establishing the connection > > The problem now is getting ipfilter to send this RST. This > yields the problems described in my earlier posting. The > term 'broken server' is used here for servers behind a > Raptor Firewall.
Add a rule like this:
block return-rst in quick from any to any flags A/SA
Somewhere in your ruleset (assuming you have a "flags S keep state".) It doens't matter where because state is checked before any rules.
ok, but if I understand what earlier in this thread was described and jim pointed me to correctly, I'll run into trouble when delayed ACKs arrive which are outside the current receive window and thus are not catched by the state. As the ACK flag is set, I'll return RST and abort the connection. Is there a way to weaken the state check so delayed ACKs are caught by the state? Maybe one could accept sequence numbers not older than 100k with regard to the current window. Or accept all packets which lie between initial sequence and current window top.
Arne
That'll generate the packet the other firewall is looking for.
Darren
