From: Chris Brenton <cbrenton@chrisbrenton.org>
To: netfilter <netfilter@lists.netfilter.org>
Subject: Re: ACK,RST getting dropped in the firewall.
Date: Thu, 24 Jun 2004 14:29:09 -0400 [thread overview]
Message-ID: <1088101748.2028.39.camel@grendel> (raw)
In-Reply-To: <200406241709.50795.Antony@Soft-Solutions.co.uk>
On Thu, 2004-06-24 at 12:09, Antony Stone wrote:
>
> In my experience (with things like SMTP, HTTP) it appears to be the server
> which generally issues the (first) FIN/ACK, telling the client that there's
> no more data
Weird, my experience with HTTP has been the other way around. The client
request typically requires just a single back. Its the data returned
from the server that can take multiple packets (thus the client finishes
first). This is why when most people run into this time-out issue its
always the server still trying to transmit _from_ TCP/80, rather than
the client trying to send _to_ TCP/80. A good example are the log
entries that started this thread.
> I wonder how other stateful firewalls (eg: CP FW-1?) handle this sort of thing
> - do they listen for *both* FIN/ACKs (and thereby leave themselves prey to
> half-open connections littering their connection table for systems which
> don't bother to send the responding FIN/ACK)?
With FW-1 and PIX, they use a higher state table time out. Again, proper
way to fix this would be to reset the timer if the session stays active.
Fixes both your worries and mine. :)
As for OS's that don't return a FIN/ACK, I can't say I've seen this in
the wild (which is why I asked which OS so I could test this). I know
there used to be a few OS's (older Mac OS and SGI come to mind) that
used to "cheat" by sending a RST/ACK instead of a FIN/ACK, but that was
cleaned up years ago.
HTH,
Chris
prev parent reply other threads:[~2004-06-24 18:29 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-06-23 11:06 ACK,RST getting dropped in the firewall Manikandan
2004-06-23 11:32 ` Chris Brenton
2004-06-24 9:37 ` Gavin Hamill
2004-06-24 10:44 ` Antony Stone
2004-06-24 13:36 ` Chris Brenton
2004-06-24 13:52 ` Jozsef Kadlecsik
2004-06-24 13:54 ` Antony Stone
2004-06-24 15:48 ` Chris Brenton
2004-06-24 16:09 ` Antony Stone
2004-06-24 18:29 ` Chris Brenton [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1088101748.2028.39.camel@grendel \
--to=cbrenton@chrisbrenton.org \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.