Laurent Blume wrote:
It's not reproduceable per se, but it happens all the time. I'm going to
get a snoop on both sides this afternoon, and send that direct to you.
Thanks Darren!
Hmmm, actually, it's now also blocking packets without the OOW flag:
May 15 14:34:39 osiris ipmon[182]: [ID 702911 local0.notice]
14:34:39.042517 e1000g0 @0:17 b 144.204.65.4,44422 -> 144.204.16.1,3128
PR tcp len 20 48 -S IN
I don't get it?
Oh, note that not *all* those connections are blocked, only a fraction.
Since this is a proxy, there's a lot of traffic getting in, and most of
it is working. Sometimes, though, the users get a "Connection refused";
and a retry is enough.
Also, the calling party is also blocking packets (IPF 3.4.33 there):
May 15 14:37:22 onera ipmon[25422]: [ID 702911 local0.notice]
14:37:22.328907 ce0 @200:4 b 144.204.16.1,3128 -> 144.204.65.4,51954 PR
tcp len 20 1500 -AP IN
But the rule blocking them is really a block, and my guess is that the
'keep state' does not work properly because the re are packets already
dropped on the other side.
Hmmm, am I clear there? I'm kinda lost myself with those drops, I've
read and re-read again the rules, they look ok to me. And they work --
most of the time.
Laurent
