Subject: ipfilter stateful rejects
To: None <tech-net@netbsd.org>
From: Wolfgang Rupprecht <wolfgang@wsrcc.com>
List: tech-net
Date: 10/22/1999 10:55:04
I'm starting to be plagued by what I'm told are most likely late
out-of-window incoming packets causing ipfilter to misbehave and
poison a sup transfer in mid-stream.
Oct 22 10:27:03 capsicum ipmon[172]: 10:27:02.703867 de0 @100:2 b ftp.netbsd.org,supfilesrv -> c460058-a.frmt1.sfba.home.com,65102 PR tcp len 20 552 -A
Oct 22 10:27:08 capsicum ipmon[172]: 10:27:07.692248 de0 @100:2 b ftp.netbsd.org,supfilesrv -> c460058-a.frmt1.sfba.home.com,65101 PR tcp len 20 552 -A
Oct 22 10:27:17 capsicum ipmon[172]: 10:27:16.181956 de0 @100:2 b ftp.netbsd.org,supfilesrv -> c460058-a.frmt1.sfba.home.com,65099 PR tcp len 20 552 -A
This is the line from my /etc/ipf.conf file.
pass out proto tcp from any to any flags S/SAFR keep state
Unfortunately tcpdump doesn't capture anything that stands out at
around the time this syslog msg occurred. All I see is a failed
sup with a sterr msg that a sup transfer aborted.
-wolfgang
--
Wolfgang Rupprecht <wolfgang+gnus@dailyplanet.wsrcc.com>
http://www.wsrcc.com/wolfgang/
DGPS signals via the Internet http://www.wsrcc.com/wolfgang/gps/dgps-ip.html