[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: Understanding pf with FTP on IPv6
On Sat, 20 Nov 2010 07:48:58 -0500, Greg Troxel <gdt%ir.bbn.com@localhost>
pf has a bug* where if it isn't keeping state then tcp packets with
wscale option set (in the syn, but not in the packet of interest) can
dropped as out-of-window. So make sure you are keeping state and see
Run tcpdump and look at all the packets, and use pfctl to get counts
stats. This is standard debugging advice but definitely in order
* 99% sure - really figuring this out and fixing is on my todo list.
Thanks for taking the time. After quite a bit of tcpdump and pfctl
later, it does seem to be a state issue on IPv6. The state is being
created, by the rule that is interpreted as "pass out quick all flags
S/SA keep state" according to pfctl, but for some reason it appears the
packets coming back don't match it, and therefore aren't passed.
They're caught by the catch-anything-else "block drop all" rule.
Doing "sysctl -w net.inet6.tcp6.win_scale=0" changes nothing. (and,
curiously, but completely unrelated, although there seems to be 2
sysctls for win_scale, one IPv4 and one IPv6, changing one seems to
change the other).
Any more thoughts or troubleshooting suggestions are more than welcome,
and thanks again,
Main Index |
Thread Index |