Hi Darren, I'm using ipfilter 5.1.1 on OpenIndiana. I basically copied over a rule set from a 4.1.35 installation on Solaris 10 over to a new OI box. For the most part it is working as expected however in some cases for outgoing tcp keep state connections the other server's response is being rejected with entries list this:
04/03/2012 00:19:34.258038 bnx1 @0:2 b 76.164.171.232,80 -> 10.0.1.180,35862 PR tcp len 20 60 -AS IN NAT In all these cases when I look at the packets coming back from the server they have a window scale set. For example, courtesy of snoop: TCP: Options: (20 bytes) TCP: - Maximum segment size = 1460 bytes TCP: - SACK permitted option TCP: - TS Val = 3973139865, TS Echo = 507047078 TCP: - No operation TCP: - Window scale = 7 The ones without a window scale pass through the firewall and set up correctly. Perhaps it is unrelated and not helpful but I vaguely remember such an issue in the 4.1.X branch. Please let me know if there is more information that might useful? I also have some questions about some of the changes to the SIOCADNAT and SIOCGENITER ioctl calls from 4.1.X to 5.1.1 but that's less important. (I'm trying to update my miniupnpd use too.) Thanks as always for such a great tool. - logan
