On Sat, 2 Feb 2008, Jefferson Ogata wrote: > > I currently have no specific rules blocking inbound packets from NFS > > servers, I would need to either add one, or use return-rst on my > > general block inbound rule. Both feel somewhat kludgy. > > Yes, so you said. But why? I think it's kind of klugey to leave > permanently hung connections chewing up kernel memory on my boxes.
The permanently hung connections are more buggy than kludgy, and should be resolved when I get a chance to upgrade the kernel on the Linux server. I think having to change my ruleset to account for this situation is a kludge, ideally ipf should be able to detect that it is receiving a dupACK and pass packets accordingly. Implementing a separate rule just to catch the problem seems rather inelegant. -- Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/ Operating Systems and Network Analyst | [EMAIL PROTECTED] California State Polytechnic University | Pomona CA 91768
