Re: [m0n0wall] Need some help understanding why certain traffic is being blocked.

From:	Fred Wright <fw at well dot com>
To:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] Need some help understanding why certain traffic is being blocked.
Date:	Tue, 12 Apr 2005 00:55:12 -0700 (PDT)

On Mon, 4 Apr 2005, Chris Buechler wrote:
> On Apr 4, 2005 4:54 PM, Don Munyak <don dot munyak at gmail dot com> wrote:
> > 
> > I still don't understand why m0n0wall block the outbound traffic
> > though. The only think I can think of is possibly an out of sync
> > packet, since m0n0wall is stateful. ???
> 
> Exactly.  http://m0n0.ch/wall/docbook/faq-legit-traffic-dropped.html

That's an excuse, not an explanation.  The possibility of stale packets is
taken into account by TCP, which is why at least one end has to keep the
connection around in the TIME_WAIT state after it's theoretically fully
closed.  Any reasonable stateful filter should take that into
account.  The *real* reason for most of the falsely blocked packets is
bugs in IPFilter.

					Fred Wright