> Nicholas von Waltsleben wrote: >> i have read a number of posts in the lists regarding IPFilter dropping >> OOW packets and I am having the same issue on FreeBSD 6.1 running >> IPFilter v4.1.8. I was wondering whether this issue had been >> resolved > in 4.1.13 and if so whether there was a patch I could apply to >> get it to compile on my version of FreeBSD? > > Herve wrote: > Just to confirm the problem : I have 2 pop3/imap front ends serving 30k > mailboxes and I get 2 or 3 SYNs dropped every minute since I upgraded > them to FreeBSD 6.0-STABLE (ipf 4.1.8). Temporary workaround was to remove > keep state for those services but it would be nice to know if this problem > is fixed in newer versions. > > I can provide tcpdumps if necessary. > > Jun 8 12:03:04 arthas ipmon[356]: 12:03:03.844718 bge0 @50:6 b x.x.242.32,18 -> 62.4.16.78,110 PR tcp len 20 44 -S IN OOW > Jun 8 12:03:05 arthas ipmon[356]: 12:03:05.069569 bge0 @50:6 b x.x.242.32,18 -> 62.4.16.78,110 PR tcp len 20 44 -S IN OOW > Jun 8 12:03:06 arthas ipmon[356]: 12:03:05.578373 2x bge0 @50:6 b x.x.242.32,18 -> 62.4.16.78,110 PR tcp len 20 44 -S IN OOW > Jun 8 12:03:07 arthas ipmon[356]: 12:03:06.579266 bge0 @50:6 b x.x.242.32,18 -> 62.4.16.78,110 PR tcp len 20 44 -S IN OOW >.... >....
I have managed to prevent the problem by disabling Selective Acknowledgments (SACKS - RFC 2018) on the Windows 2003 servers behind my firewall. This is a temporary *fix (I hesitate to actually refer to this as a fix) and I am still looking for a way to upgrade to 4.1.13 in order to see whether this continues to be a problem. Any input from non-FreeBSD users would be greatly appreciated at this point. Regards, Nicholas
