Say I have an application behind the firewall listening on tcp:3500. From
outside I connect to the application:
SYN \
SYN ACK
/
ACK
The server then pushes back the SSL start:
PUSH
/
The firewall sees the packet arrive on the inside interface but never
forwards it back out the outside.
I don't 'keep state' on the firewall for these inbound tcp:3500 sessions
because I can never keep ahead on how much buffer space is necessary to keep
state for all of them. No state is kept on the inside interface.
Instead in the log I get lines like:
Aug 7 12:05:20 fw ipmon[376]: 12:05:19.823759 wm0 @0:19 b
server[2.3.4.5],3500 -> client[6.5.4.3],41301 PR tcp len 20 1420 -A OUT OOW
Aug 7 12:05:20 fw ipmon[376]: 12:05:19.889617 wm0 @0:19 b
server[22.3.4.5],3500 -> client[6.5.4.3],41301 PR tcp len 20 1420 -AP OUT
OOW
Aug 7 12:05:20 fw ipmon[376]: 12:05:19.889741 wm0 @0:19 b
server[2.3.4.5],3500 -> client[6.5.4.3],41301 PR tcp len 20 1420 -A OUT OOW
Aug 7 12:05:20 fw ipmon[376]: 12:05:20.319142 wm0 @0:19 b
server[2.3.4.5],3500 -> client[6.5.4.3],41301 PR tcp len 20 1049 -AP OUT OOW
I've had to add a rule:
pass out quick proto tcp from any port = 3500 to any keep frags group
2
This configuration without the change above worked well on netbsd-3-1
running v4.1.8. This system was updated last night.
Does someone have a pointer to what's going on? I've seen the pages that
describe that an OOW issue existed but the notes seem to imply that it's
fixed in 4.1.23. Did I read that wrong? Is there a better way to deal with
this?
Thanks,
peter
