I haven't seen any logging about fragments being blocked. I just now tried with 'keep frags' added in and got the same behaviour.
On Fri Oct 11 12:41:31 2002, Wes Zuber wrote: > > hmm, I always use keep state keep frags in my pass out statement. Could > this be an issue? > > --Wes > > On Friday, October 11, 2002, at 12:09 PM, Iain Morgan wrote: > > > Hello, > > > > We have ipf v3.4.29 running on a Solaris 8 system. For the most part, > > things work correctly. However under some circumstances established > > TCP connections seem to fail par way through. > > > > This is particularly noticable when the system is backed up by piping > > the > > output of ufsdump through ssh to our mass storage system. What appears > > to > > be happening is that the incoming packets cease to match the > > state-table > > entry. The outgoing packets continue to match the entry. > > > > I have a kludge that works around the issue, but I was wondering if > > anyone had any similar problems and perhpas a better solution. > > > > The relevant rules in the ipf.conf are: > > > > block in log all > > pass out proto tcp from any to 129.99.0.0/16 port = 22 flags S keep > > state > > > > # Special handling for lou to allow backups to work > > pass in proto tcp from 129.99.248.41 port = 22 to any > > > > I've used ipfstat -t to confirm that an entry for the connection does > > get created and is mode 4/4. I've tried using ipmon and snoop to > > pinpoint > > the problem to no avail. > > > > Thsi problem occurs with both 3.4.28 and 3.4.29. The Sun Workshop 6.0U1 > > compiler was used to build ipf. > > > > -- > > Iain Morgan > > NAS Desktop Support Group > > > -- Iain Morgan NAS Desktop Support Group
