On Fri, Mar 13, 2009 at 10:15:06AM +0000, Stuart Henderson wrote: > On 2009/03/13 10:25, Jeremie Le Hen wrote: > > > > It doesn't seem to be possible to disable sequence number/window > > tracking. Does it? > > It's possible if you port the "sloppy" state handling code from OpenBSD..
Using 'sloppy' is a bad idea, and not recommended unless you really, reallly know what you are doing. If you think you need to use it, you are most likely wrong and have either a bad network design or broken software. Fix those instead. I would only consider using 'sloppy' if BOTH of the following are true: a) There is a compelling performance or network architecture reason for doing so, such as asymetric routing or relayd with 'direct server return'. Avoid these if you can. b) All boxes which recieve TCP connections through these 'sloppy' rules are running OpenBSD -current or supported -stable; or there are additional layers of firewall further in on your network which don't use 'sloppy'.
