Darren Reed wrote:
On 04/14/09 03:10 PM, Jens Elkner wrote:
On Tue, Apr 14, 2009 at 05:09:01PM -0400, Oscar del Rio wrote:
on a couple of systems running nv109 and nv110, with ipfilter enabled,
occasionally we get OOW and NEG_OOW errors.
ipf rule (a web server):
pass in quick proto tcp from any to any port = 80 keep state keep frags
An SUN case engineer told me, that on should always add 'flags S' when using
'keep state' too get not into trouble. Why: unknown ...
Because TCP window scaling options are only in the SYN/SYN-ACK
packets and they affect what each end system considers to be "in window".
If you create TCP state with IPFilter in mid-stream, it will be without
that knowledge and hence unable to correctly mimic the end nodes
idea of what the window really is.
Thus IPFilter will think things are "out of winodw" (OOW) when they
really aren't...
Thanks, Darren and Jens!
I will fix the keep state rules and check if the OOW errors go away.
_______________________________________________
networking-discuss mailing list
[email protected]
