On Thu, 8 Jun 2006 15:51:47 +0200 "Nicholas von Waltsleben" <[EMAIL PROTECTED]> wrote:
> > Nicholas von Waltsleben wrote: > >> i have read a number of posts in the lists regarding IPFilter > dropping > >> OOW packets and I am having the same issue on FreeBSD 6.1 running > >> IPFilter v4.1.8. I was wondering whether this issue had been > >> resolved > in 4.1.13 and if so whether there was a patch I could > apply to > >> get it to compile on my version of FreeBSD? > > > > > Herve wrote: > > Just to confirm the problem : I have 2 pop3/imap front ends serving > 30k > > mailboxes and I get 2 or 3 SYNs dropped every minute since I upgraded > > them to FreeBSD 6.0-STABLE (ipf 4.1.8). Temporary workaround was to > remove > > keep state for those services but it would be nice to know if this > problem > > is fixed in newer versions. > > > > I can provide tcpdumps if necessary. > > > > Jun 8 12:03:04 arthas ipmon[356]: 12:03:03.844718 bge0 @50:6 b > x.x.242.32,18 -> 62.4.16.78,110 PR tcp len 20 44 -S IN OOW > > Jun 8 12:03:05 arthas ipmon[356]: 12:03:05.069569 bge0 @50:6 b > x.x.242.32,18 -> 62.4.16.78,110 PR tcp len 20 44 -S IN OOW > > Jun 8 12:03:06 arthas ipmon[356]: 12:03:05.578373 2x bge0 @50:6 b > x.x.242.32,18 -> 62.4.16.78,110 PR tcp len 20 44 -S IN OOW > > Jun 8 12:03:07 arthas ipmon[356]: 12:03:06.579266 bge0 @50:6 b > x.x.242.32,18 -> 62.4.16.78,110 PR tcp len 20 44 -S IN OOW > >.... > >.... > > I have managed to prevent the problem by disabling Selective > Acknowledgments (SACKS - RFC 2018) on the Windows 2003 servers behind my > firewall. This is a temporary *fix (I hesitate to actually refer to > this as a fix) and I am still looking for a way to upgrade to 4.1.13 in > order to see whether this continues to be a problem. Any input from > non-FreeBSD users would be greatly appreciated at this point. > > Regards, > Nicholas ign-long-strings -mpreferred-stack-boundary=2 -mno-mmx -mno-3dnow -mno-sse -mno-sse2 -ffreestanding -Werror ../../../contrib/ipfilter/netinet/mlfk_ipl.c ../../../contrib/ipfilter/netinet/mlfk_ipl.c:33: warning: redundant redeclaration of 'ipfselwait' ../../../contrib/ipfilter/netinet/ip_compat.h:1541: warning: previous declaration of 'ipfselwait' was here *** Error code 1 Stop in /usr/src/sys/i386/compile/FIREWALL. This is the error code I'm receiving when compiling 4.1.13 on 6.1 i386.
