> Could this also be a problem with older versions of ipf that do not > specifcally have window check code in place?
No version of IPFilter that does stateful filtering is going to deal well with this scenario. > I see similar behavior (lost > SMB connections) across 3.4.x series firewalls as well now. I thought > originally this was isolated to 4.1.x but given that 4.1.2 has the issue > with the window check disabled and now I see it with 3.4.x series I think > there could be something bigger at play. So far disabling SACK within > Windows XP has eliminated the problem. I will test with Windows 2000 > tonight. The far side of the SMB share is a FreeBSD 5.1 box running Samba 3 > and has no SACK options. I believe FreeBSD didn't start to grok SACK until > 5.2. Well, looking at your tcpdump, both ends are sending "sackOK" in SYN packets when the session is created. Darren
