I have found something that makes it work again, but also makes me think I need
some clarification about my ipf configuration file.
For years I had my customers ipf.conf with a region defining the public ports
to be available for public services like this:
pass in quick on [public-if] proto tcp from any to [public-ip]/32 port = 22
and it worked until I got to Windows Vista. Now, it works if I change it to:
pass in quick on [public-if] proto tcp from any to [public-ip]/32 port = 22
keep state
Why?
And also: why this doesn't seem to happen on port 25? Running a telnet on port
25 the manual smtp session seems to work.
How do I have to use this "keep state" actually ?
Finally, how and when should I add the "flags S" ?
I think that this is something that is causing also another issue I got with
some "timeout sending data" on Postfix when trying to comunicate with specific
destinations.
I'm a bit confused....
Thanx for any help.
Gabriele.
Gabriele Bulfon - Sonicle S.r.l.
Tel +39 028246016 Int. 30 - Fax +39 028243880
Via Felice Cavallotti 16 - 20089, Rozzano - Milano - ITALY
http://www.sonicle.com
----------------------------------------------------------------------------------
Da: Jefferson Ogata <[EMAIL PROTECTED]>
A: [email protected]
Data: 23 aprile 2007 18.14.32 CEST
Oggetto: Re: Windows Vista and ipfilter servers
On 2007-04-23 10:26, Gabriele Bulfon wrote:
> I have more data:
> - Some servers run fine, and there I have the original IPFilter that
> comes with Solaris 10
> - The ones that fail, are those that I upgraded to IPFilter 4.1.9 or
> 4.1.10 by rebuilding from sources (something was not correctly working
> on AMD installations, so I had to upgrade).
>
> What I don't understand, is why this problem comes up only if I connect
> through Vista, and only on some ports.
Maybe you have TCP window issues, or maybe Vista uses ECN in a way your
ipfilter config doesn't allow for.
I recommend you examine TCP flags and options in your packet traces to
see if there's a difference there between XP and Vista.
--
Jefferson Ogata <[EMAIL PROTECTED]>
NOAA Computer Incident Response Team (N-CIRT) <[EMAIL PROTECTED]>
"Never try to retrieve anything from a bear."--National Park Service
