On Sat, Apr 19, 2003 at 05:43:38PM +0800, Laurence Moore wrote: > Try the following rule. > > block return-rst in quick on ext-if proto tcp from any port = 25 to any > flags A >
has anyone actually tried this rule? At my site it isn't working, maybe because ipfilter sends a RST with ACK=0, instead of using the received SEQ (ipf 3.4.31).
The problem with that is when a delayed ack is suddenly popping up, your connection is dropped. If you do this, only enable it for the host that has this anti-syn-flooding behaviour.
It would be great to find a generic ruleset to allow communication with these 'broken' servers. Adding all these servers with one rule per server is impractical, because I see several dozens of them. On the other hand, risking to reset a good connection is even worse.
Just to be sure I understand why the connection would be reset: if an out-of-sequence ACK arrives, the stateful rules will not match, because the ACK is outside the receive window. The block return-rst will match and reset the connection. Is this correct?
If yes, maybe the state-check should be weakend to allow using return-rst along with a stateful rule.
Does anyone have a good idea how to solve this?
BTW: I think it is Symantec Raptor Firewall on the other end.
-- Arne
-Guido
