NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: kern/39274: ipfilter loses state of FTP mget transfer sessions

The following reply was made to PR kern/39274; it has been noted by GNATS.

From: Manuel Bouyer <>
Subject: Re: kern/39274: ipfilter loses state of FTP mget transfer sessions
Date: Thu, 7 Aug 2008 16:13:26 +0200

 On Sat, Aug 02, 2008 at 10:25:00PM +0000, David H. Gutteridge wrote:
 > >Description:
 > I'm frequently finding that FTP mget transfers fail (client-side) when
 > ipfilter is enabled on the client.  This is not an ipnat/ftp_proxy
 > issue, NAT is not enabled on the client machines in question.  I'm
 > seeing this with both -current builds on amd64 and 4.0 on macppc.
 > ipfstat output seems to indicate that ipfilter is losing the state of
 > the connections.  After that happens of course, the FTP session is
 > unusable.
 I think it's the same issue I'm seeing: TCP connections are expirted
 too soon (and/or some that should be closed are not, although there
 was a proper TCP connection close). I worked around this by using
 different timeout values:
 map pppoe0 -> proxy port ftp ftp/tcp mssclamp 1452
 map pppoe0 from to any port = 22 -> portmap 
tcp/udp 10000:40000 age 7300 mssclamp 1452
 map pppoe0 -> portmap tcp/udp 10000:40000 age 900 
mssclamp 1452
 map pppoe0 -> mssclamp 1452
 Manuel Bouyer, LIP6, Universite Paris VI.  
      NetBSD: 26 ans d'experience feront toujours la difference

Home | Main Index | Thread Index | Old Index