On Wed, Apr 15, 2009 at 12:03:44AM -0700, Darren Reed wrote: > On 04/14/09 03:10 PM, Jens Elkner wrote: > > On Tue, Apr 14, 2009 at 05:09:01PM -0400, Oscar del Rio wrote: > > ipf rule (a web server): > pass in quick proto tcp from any to any port = 80 keep state keep frags > > An SUN case engineer told me, that on should always add 'flags S' when using > 'keep state' too get not into trouble. Why: unknown ... > > Because TCP window scaling options are only in the SYN/SYN-ACK > packets and they affect what each end system considers to be "in window". > If you create TCP state with IPFilter in mid-stream, it will be without > that knowledge and hence unable to correctly mimic the end nodes > idea of what the window really is. > Thus IPFilter will think things are "out of winodw" (OOW) when they > really aren't...
Aha ok - understood. Thanx a lot!!!, jel. -- Otto-von-Guericke University http://www.cs.uni-magdeburg.de/ Department of Computer Science Geb. 29 R 027, Universitaetsplatz 2 39106 Magdeburg, Germany Tel: +49 391 67 12768 _______________________________________________ networking-discuss mailing list [email protected]
