Max Laier wrote:
On Saturday 21 July 2007, Jordan Gordeev wrote:
I'm replying to an old and long-forgotten thread to report my recent
findings.
There's a bug in PF with modulate/synproxy state. Modulate/synproxy
state modulate sequence numbers, but don't modulate sequence numbers in
TCP SACK options. Some firewalls block TCP segments with sequence
numbers in the SACK option pointing outside the window, which causes
connection stalls. The bug was fixed in OpenBSD with revision 1.509 of
src/sys/net/pf.c about an year and a half ago. The bug is present in
FreeBSD-STABLE. A fix for the bug was imported in FreeBSD-CURRENT with
the big import of PF from OpenBSD 4.1.
I'm CC-ing Max to notify him of the bug present in -STABLE and to ask
him to deal with the issue by either porting the fix from OpenBSD, or
by documenting that modulate/synproxy state is broken.
Good catch - sorry for the delay. Here is the diff (almost verbatim from
OPENBSD_3_8). Please test and report back. I plan to commit this to
RELENG_6 in a bit.
The patch fixed the problem I was having with modulate state and SACK on
my lightly loaded personal NAT box.
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
