> > Anybody got some insight into this? I only see this once and a while > and after running 'ipf -Fa -Fs -f ipf.conf' to reload the rules it > doesn't show up for a while. > > I'm allowing in both directions for now but would like to trim it to > just outbound (or perhaps the list can help me out with defining the > proper rules for it) but this is what I have now. (below) > > I'm doing the 'keep state' and 'keep frags' on my rules but not doing > the 'flags' option on my packets. Perhaps I should be changing to > 'flags S' and adding a separate rule for tcp to do this as I likely > can't do this for 'tcp/udp' rules if I remember correctly.
Right. The problem with not using "flags S" is that you attempt to allow tracking the state of a TCP connection without being able to learn what the window scaling factor should be and thus you're doomed to getting out-of-window packets if either the NetApp or Solaris has agreed to use it in the beginning. I'm not convinced that the OOW packets are an indication of problems aside from IPFilter (in nearly all circumstances) not quite getting its stateful tracking right. One day I'll get a tcpdump data file of a connection that works (without ipfilter in the way) and when played through ipfilter generates OOW messages - at that point I'll be able to look closely and see what it's doing wrong and fix it. But for now, the OOW packets seem to be mostly random and it's hard to diagnose. Darren
