Sensille wrote:
The problem with that is when a delayed ack is suddenly popping up, your connection is dropped. If you do this, only enable it for the host that has this anti-syn-flooding behaviour.
It would be great to find a generic ruleset to allow communication with these 'broken' servers. Adding all these servers with one rule per server is impractical, because I see several dozens of them. On the other hand, risking to reset a good connection is even worse.
the problem is not "broken servers". any time a packet is dropped enroute, packets arrive out of sequence at the receiver. you can't control this. the generic ruleset you need is to reply with reset *only* to SYN packets. otherwise you're just going to be killing off valid connections via the return-rst, as you have found out.
read the problem description and example here: http://marc.theaimsgroup.com/?l=ipfilter&m=97234715121908&w=2
and check the FAQ, here: http://www.phildev.net/ipf/IPFprob.html#9
jim
