In some email I received from Sensille, sie wrote: > Jim, many thanks for your pointers. I think I left out too > much of the context earlier in this thread. > The problem is communicating with a mailserver behind a > Symantec Raptor Firewall. This firewall has a syn-flood > protection which works like this: > > your server sends a SYN > the firewall answers with ACK (without SYN). The ack number > is that from your SYN + 1000000 > your server _should_ send a RST > The firewall takes this RST as a sign that the SYN sent > earlier is no syn flood and responds with a SYN ACK to > your original SYN, thus establishing the connection > > The problem now is getting ipfilter to send this RST. This > yields the problems described in my earlier posting. The > term 'broken server' is used here for servers behind a > Raptor Firewall.
Add a rule like this: block return-rst in quick from any to any flags A/SA Somewhere in your ruleset (assuming you have a "flags S keep state".) It doens't matter where because state is checked before any rules. That'll generate the packet the other firewall is looking for. Darren
