On 2008-02-04 19:58, Paul B. Henson wrote:
The permanently hung connections are more buggy than kludgy, and should be resolved when I get a chance to upgrade the kernel on the Linux server. I think having to change my ruleset to account for this situation is a kludge, ideally ipf should be able to detect that it is receiving a dupACK and pass packets accordingly. Implementing a separate rule just to catch the problem seems rather inelegant.
It wouldn't just be for that problem; it would be for all stale connections. If you aren't using return-rst, every time you lose state information because of a reboot (for example), any box that didn't get a TCP teardown thinks it still has a live connection to the box. Using return-rst clears that up at the next window probe. Without return-rst, those connections end up hanging around until the keepalive timers kill them. This is wasteful and provides no benefit.
In fact, since the situation you're seeing is using the same TCP endpoints, I'm not certain return-rst would fix it. But, again, it would be a tweak to your generic TCP block rule, not something tailored to the NFS problem.
-- Jefferson Ogata <[EMAIL PROTECTED]> NOAA Computer Incident Response Team (N-CIRT) <[EMAIL PROTECTED]> "Never try to retrieve anything from a bear."--National Park Service
