good call on the firewall!
it's behind a cyberguard firewall. can't stand the thing.
the firewall happens to be doing the handshaking on all incoming TCP
connections, been the victim
of several TCP/SYN flood attacks. maybe this is where it flakes? the firewall
intercepts the
client SYN, send the SYN/ACK, waits for the client ACK. if it gets the ACK
it's supposed to open
up a new connection to the server. maybe it does, but is breaking the
connection to the client?
never been fond of this cyberguard, plus it's running an older version of the
firewall on some
type of unixware, UNIX_SV cyberguard 4.2MP 2.1 i386 x86at, which supposedly
has been "optimized"
by cyberguard. god knows what's been done to the tcp stack.
alex
kuznet@xxxxxxxxxxxxx wrote:
> Hello!
>
> > > Just for information: do you know what OS do you talk to?
> > > It does something truly wicked.
> >
> > It's SunOS mail 5.6 Generic_105181-05 sun4m sparc SUNW,SPARCstation-5.
>
> This is NOT Solaris, no doubts. 8)
> Or this poor Solaris is hidden behind some absolutely insane firewall.
>
> > If you want more info you can ask Alexander Stanich
> > <astanich@xxxxxxxxxxxxxxxxx>
> > directly (well, as long as your mail gets through - as my Linux is unable
> > to talk with his machine, I have to use his backup relay).
>
> Well, I do not think that I have better chances to send him a mail. 8)
>
> BTW, you can test the following patchlet, it is expected to help.
>
> Alexey
>
> --- ../orig/linux/net/ipv4/tcp_output.c Sun Jun 18 21:24:08 2000
> +++ linux/net/ipv4/tcp_output.c Fri Nov 10 15:07:44 2000
> @@ -79,7 +103,7 @@
> if(skb != NULL) {
> struct tcp_opt *tp = &(sk->tp_pinfo.af_tcp);
> struct tcp_skb_cb *tcb = TCP_SKB_CB(skb);
> - int tcp_header_size = tp->tcp_header_len;
> + int tcp_header_size = sizeof(struct tcphdr);
> struct tcphdr *th;
> int sysctl_flags;
>
> @@ -103,12 +127,17 @@
> if(!(sysctl_flags & SYSCTL_FLAG_TSTAMPS))
> tcp_header_size +=
> TCPOLEN_SACKPERM_ALIGNED;
> }
> - } else if(tp->sack_ok && tp->num_sacks) {
> - /* A SACK is 2 pad bytes, a 2 byte header, plus
> - * 2 32-bit sequence numbers for each SACK block.
> - */
> - tcp_header_size += (TCPOLEN_SACK_BASE_ALIGNED +
> - (tp->num_sacks *
> TCPOLEN_SACK_PERBLOCK));
> + } else {
> + if(tp->tstamp_ok)
> + tcp_header_size += TCPOLEN_TSTAMP_ALIGNED;
> +
> + if(tp->sack_ok && tp->num_sacks) {
> + /* A SACK is 2 pad bytes, a 2 byte header,
> plus
> + * 2 32-bit sequence numbers for each SACK
> block.
> + */
> + tcp_header_size += (TCPOLEN_SACK_BASE_ALIGNED
> +
> + (tp->num_sacks *
> TCPOLEN_SACK_PERBLOCK));
> + }
> }
> th = (struct tcphdr *) skb_push(skb, tcp_header_size);
> skb->h.th = th;
|