Re: kern/39274: ipfilter loses state of FTP mget transfer sessions

[Manuel Bouyer <bouyer%antioche.eu.org@localhost>]

The following reply was made to PR kern/39274; it has been noted by GNATS.

From: Manuel Bouyer <bouyer%antioche.eu.org@localhost>
To: gnats-bugs%NetBSD.org@localhost
Cc: kern-bug-people%NetBSD.org@localhost, gnats-admin%NetBSD.org@localhost, 
netbsd-bugs%NetBSD.org@localhost
Subject: Re: kern/39274: ipfilter loses state of FTP mget transfer sessions
Date: Thu, 7 Aug 2008 16:13:26 +0200

 On Sat, Aug 02, 2008 at 10:25:00PM +0000, David H. Gutteridge wrote:
 > >Description:
 > I'm frequently finding that FTP mget transfers fail (client-side) when
 > ipfilter is enabled on the client.  This is not an ipnat/ftp_proxy
 > issue, NAT is not enabled on the client machines in question.  I'm
 > seeing this with both -current builds on amd64 and 4.0 on macppc.
 > 
 > ipfstat output seems to indicate that ipfilter is losing the state of
 > the connections.  After that happens of course, the FTP session is
 > unusable.
 
 I think it's the same issue I'm seeing: TCP connections are expirted
 too soon (and/or some that should be closed are not, although there
 was a proper TCP connection close). I worked around this by using
 different timeout values:
 map pppoe0 10.0.0.0/16 -> 62.212.96.44/32 proxy port ftp ftp/tcp mssclamp 1452
 map pppoe0 from 10.0.0.0/16 to any port = 22 -> 62.212.96.44/32 portmap 
tcp/udp 10000:40000 age 7300 mssclamp 1452
 map pppoe0 10.0.0.0/16 -> 62.212.96.44/32 portmap tcp/udp 10000:40000 age 900 
mssclamp 1452
 map pppoe0 10.0.0.0/16 -> 62.212.96.44/32 mssclamp 1452
 
 -- 
 Manuel Bouyer, LIP6, Universite Paris VI.           
Manuel.Bouyer%lip6.fr@localhost
      NetBSD: 26 ans d'experience feront toujours la difference
 --