NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: kern/39274: ipfilter loses state of FTP mget transfer sessions

On Sat, Aug 02, 2008 at 10:25:00PM +0000, David H. Gutteridge wrote:
> >Description:
> I'm frequently finding that FTP mget transfers fail (client-side) when
> ipfilter is enabled on the client.  This is not an ipnat/ftp_proxy
> issue, NAT is not enabled on the client machines in question.  I'm
> seeing this with both -current builds on amd64 and 4.0 on macppc.
> ipfstat output seems to indicate that ipfilter is losing the state of
> the connections.  After that happens of course, the FTP session is
> unusable.

I think it's the same issue I'm seeing: TCP connections are expirted
too soon (and/or some that should be closed are not, although there
was a proper TCP connection close). I worked around this by using
different timeout values:
map pppoe0 -> proxy port ftp ftp/tcp mssclamp 1452
map pppoe0 from to any port = 22 -> portmap tcp/udp 
10000:40000 age 7300 mssclamp 1452
map pppoe0 -> portmap tcp/udp 10000:40000 age 900 
mssclamp 1452
map pppoe0 -> mssclamp 1452

Manuel Bouyer, LIP6, Universite Paris VI.  
     NetBSD: 26 ans d'experience feront toujours la difference

Home | Main Index | Thread Index | Old Index