On Tue, 14 Sep 2004 14:00:26 -0700
Nivedita Singhvi <niv@xxxxxxxxxx> wrote:
> Can you reproduce on the latest kernel, please?
> Is the OpenBSD mangling the packet in any way?
>
> Can anyone tell me if this smells like something
> recently fixed (MTU issues)? Doesn't sound like
> the windowscaling problem but could be related.
OpenBSD pf is easy to configure to break window scaling.
The developer claims its not a bug. Basically stateless
TCP connection tracking will never work, it's a bad idea.
Daniel Hartmeier <daniel@xxxxxxxxxxxxx> wrote:
> The problem arises when the user creates a complicated ruleset that
> passes the first SYN of a connection without creating a state entry. You
> might argue that this shouldn't be possible, but some forms of stateless
> filtering are being used. The man page warns against this, too.
>
> In this particular case, the ruleset tells pf to pass the initial SYN
> without creating state (and therefore without any place to note the
> window option and first scale factor). When, later, the SYN+ACK creates
> state, the state just doesn't contain the information to follow the
> scaled windows.
|