Dear mailing list,
Is there a patch for the keep state/OOW-issues in version 4.1.13 on
FreeBSD6.2 and if so, what are the instructions to apply the patch?
I can give an example of the phenomena. When a user is trying to upload
a photobook to fujidirect (145.7.16.174) and the rule below is being
used: (if being interface and LAN being the private ip range and mask)
"pass out quick on <if> proto tcp from <LAN> to 145.7.16.174 port = 80
keep state"
The upload stops after a short burst and the following is seen in the
log: (userip being the ip of the machine on the LAN)
"@0:1 b <userip>,1227 -> 145.7.16.174,80 PR tcp len 20 1500 -A OUT OOW
@0:1 b <userip>,1235 -> 145.7.16.174,80 PR tcp len 20 1500 -A OUT OOW
@0:1 b <userip>,1287 -> 145.7.16.174,80 PR tcp len 20 1500 -A OUT OOW
@0:1 b <userip>,1309 -> 145.7.16.174,80 PR tcp len 20 1500 -A OUT OOW"
After removing the "keep state" the upload stops immediately and the
following appears in the log:
"@0:1 b 145.7.16.174,80 -> <userip>,1353 PR tcp len 20 48 -AS IN NAT
@0:1 b 145.7.16.174,80 -> <userip>,1353 PR tcp len 20 48 -AS IN NAT
@0:1 b 145.7.16.174,80 -> <userip>,1353 PR tcp len 20 48 -AS IN NAT"
Leading to the forced open of traffic IN from 145.7.16.174, ie a
stateless transfer that works but, is not preferable.
This is just one example of many.
Seeing this from a laymans point of view, an option for the ruleset aka
keep state would be preferable. In other words, 'keep OOW' as an option
like so:
"pass out quick on <if> proto tcp from <LAN> to 145.7.16.174 port = 80
keep state keep OOW"
Grateful for any response,
Greetings
/Roger
