[ previous ] [ next ] [ threads ]
 
 From:  Chris Buechler <cbuechler at gmail dot com>
 To:  mika <mikata at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Error: Outbound Blocking
 Date:  Tue, 11 Jan 2005 02:25:29 -0500
On Mon, 10 Jan 2005 21:08:15 +0100, mika <mikata at gmail dot com> wrote:
> Hi guys, i am just frustrated right now. I got the default LAN -> any
> rule allow on LAN Interface. I Set up Port 3724, 6112 and range 6881 -
> 6999 to my PC for using Blizzard Downloader (WoW Beta). Thats all! I
> use T-Online PPPoE DSL internet access.
> 
> But there are strange Log Entries:
> 21:03:53.197841         LAN     192.168.0.20, port 4578         217.95.232.X, port 6881        
TCP
> 21:03:21.848277         LAN     192.168.0.20, port 3244         217.234.175.X, port 6881       
TCP
> 

I was able to replicate this, and afterwards found something in the
list archives from Manuel.
http://m0n0.ch/wall/list/?action=show_msg&actionargs%5B%5D=77&actionargs%5B%5D=54

That partially explains it, it's missing the state table.  Mine was
hitting the same rule mentioned in that post.

Why is it missing the state table, and why so frequently?  A previous
post of mine explains why it's missing it, and it's so frequent
(relative to other traffic) because of the large number of TCP
connections that BitTorrent will use.
http://m0n0.ch/wall/list/?action=show_msg&actionargs[]=121&actionargs[]=25

Specifically, this part of my post:

--
My guess is it's retransmitted and/or last packets not
hitting the state of the connection in process, as described in the
ipfilter howto:

"Due to the often laggy nature of the Internet, sometimes packets will
be regenerated. Sometimes, you'll get two copies of the same packet,
and your state rule which keeps track of sequence numbers will have
already seen this packet, so it will assume that the packet is part of
a different connection. Eventually this packet will run into a real
rule and have to be dealt with. You'll often see the last packet of a
session being closed get logged because the keep state code has
already torn down the connection before the last packet has had a
chance to make it to your firewall. This is normal, do not be
alarmed."
--

If you've enabled traffic shaping, it will intentionally slow down BT
traffic.  Otherwise the only explanation for the slow down is too many
downloaders and not enough uploaders on WoW.

As for the port 3724 -> 2406, I couldn't replicate that, but I'm sure
it's the same.

-Chris