On Tuesday 20 March 2007 18:42, WAYNE KING wrote: > Hello list, My subnet at Ohio State is running a BSD firewall with > packet filter. It works great, but I just encountered a weird problem > with the linux 2.16.18.2 kernel and packet filter. When the firewall > was on I could do absolutely nothing via the web; every page would > hang. As soon as I turned the firewall off, all connections worked > fine. Apparently this is a known bug? and changing the > tcp_window_scaling setting in the kernel to 0 fixes it. Anyway I was > hoping that someone could explain to me why that setting might cause a > problem with packet filter. It irritated me for weeks. By the way I'm > using OpenSuse 10.2 --never had it up to and including Suse 10.1. I'm > not sure if this is a problem in general with that kernel or with some > distro particular. I'm running fedora core 6 on another computer and > that works fine. I just discovered this fix so I haven't checked what > kernel that has installed (fedora core 6) or what the > tcp_window_scaling is by default. The following com mand fixed it on my > computer (openSuse 10.2) > > echo 0 > /proc/sys/net/ipv4/tcp_window_scaling > > Any quick insights just for my own education?
Could you enable misc logging for pf (pfctl -xm) and watch the console while you try to connect to the net with the affected Linux box? Also, window scaling related problems are usually caused by keep state rules that do not include "flags S/SA". Under some circumstances you could get pf to install a state entry for which it has not seen the initial SYN and thus it is not informed about the negotiated scalling factor and breaks the connection later. -- /"\ Best regards, | [EMAIL PROTECTED] \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED] / \ ASCII Ribbon Campaign | Against HTML Mail and News
pgpvBckYFsWuZ.pgp
Description: PGP signature
