Maybe I was a little too hasty with the email. Turns out it was the other party's broken NAT router that was sending fragmented packets. I had a rule to 'block in all tcp packets' and i wasnt't specifically allowing fragmented packets.
On Fri, 16 Aug 2002, Avleen Vig wrote: > Machine: FreeBSD 4.3 > ipf: IP Filter: v3.4.20 (264) > > First this bug may be resolved by me upgrading IPF. If that's the case > I'll just do that once informed :-) I haven't yet as I've not had and > problems. > > One of my users tried to send a 'larger than normal' email today, and we > found it would hang at different point during the transmission (50%, 70%, > 99%, etc). But with IPF disabled it wouldn't hang. > > I watched him over tcpdump to see what was happening.. the output is at > the end of the email. I'm assuming that it has something to do with the > fragmented packets that he's sending? I don't have any rules in place that > block short, or block ipopts. > > Thanks :) > > 213.x.x.x.33198 > 212.x.x.x.x.25: S 1202933080:1202933080(0) win 16384 <mss >1460,nop,nop,sackOK> > 212.x.x.x.x.25 > 213.x.x.x.33198: S 1822686022:1822686022(0) ack 1202933081 win >65535 <mss 1460> (DF) > 213.x.x.x.33198 > 212.x.x.x.x.25: . ack 1 win 17520 > 212.x.x.x.x.25 > 213.x.x.x.33198: P 1:52(51) ack 1 win 65535 (DF) > 213.x.x.x.33198 > 212.x.x.x.x.25: P 1:15(14) ack 52 win 17469 > 212.x.x.x.x.25 > 213.x.x.x.33198: P 52:97(45) ack 15 win 65535 (DF) > 213.x.x.x.33198 > 212.x.x.x.x.25: P 15:49(34) ack 97 win 17424 > 212.x.x.x.x.25 > 213.x.x.x.33198: P 97:105(8) ack 49 win 65535 (DF) > 213.x.x.x.33198 > 212.x.x.x.x.25: P 49:81(32) ack 105 win 17416 > 212.x.x.x.x.25 > 213.x.x.x.33198: P 105:113(8) ack 81 win 65535 (DF) > 213.x.x.x.33198 > 212.x.x.x.x.25: P 81:87(6) ack 113 win 17408 > 212.x.x.x.x.25 > 213.x.x.x.33198: P 113:127(14) ack 87 win 65535 (DF) > 213.x.x.x.33198 > 212.x.x.x.x.25: . 87:1523(1436) ack 127 win 17394 (frag >8539:1456@0+) > 213.x.x.x.33198 > 212.x.x.x.x.25: . 1547:2983(1436) ack 127 win 17394 (frag >8540:1456@0+) > 213.x.x.x.33198 > 212.x.x.x.x.25: . 3007:4443(1436) ack 127 win 17394 (frag >8541:1456@0+) > 213.x.x.x.33198 > 212.x.x.x.x.25: P 4467:5377(910) ack 127 win 17394 > 212.x.x.x.x.25 > 213.x.x.x.33198: . ack 87 win 65535 (DF) > 213.x.x.x.33198 > 212.x.x.x.x.25: P 5377:5382(5) ack 127 win 17394 > 212.x.x.x.x.25 > 213.x.x.x.33198: . ack 87 win 65535 (DF) > 213.x.x.x.33198 > 212.x.x.x.x.25: . 87:1523(1436) ack 127 win 17394 (frag >8544:1456@0+) > 213.x.x.x.33198 > 212.x.x.x.x.25: . 87:1523(1436) ack 127 win 17394 (frag >8545:1456@0+) > 213.x.x.x.33198 > 212.x.x.x.x.25: . 87:1523(1436) ack 127 win 17394 (frag >8547:1456@0+) > 213.x.x.x.33198 > 212.x.x.x.x.25: . 87:1523(1436) ack 127 win 17394 (frag >8548:1456@0+) > > > -- Avleen Vig Work Time: Unix Systems Administrator Play Time: Network Security Officer Smurf Amplifier Finding Executive: http://www.ircnetops.org/smurf
