Firewall Troubleshooting - Missing ACK -> timeouts

From:	Andreas Goertz <agoertz at gmx dot com>
To:	m0n0wall at lists dot m0n0 dot ch
Subject:	Firewall Troubleshooting - Missing ACK -> timeouts
Date:	Tue, 23 May 2006 10:50:51 +0200
Hi ..

I got a strange Problem here. I'm testing Monowall for use in our
production enviroment. And everything works great but this:

Some of our users who are working with a windows client are stressed by
strange timeouts when they want to access our webservers. But first a
little grafik to help you understand what everything looks like.

http://agoertz.de/example.gif

These timeouts are hard to describe because there is no regularity.
Sometimes everything works fine and suddenly .. timeout. A netstat on
this machine shows a process waiting for an ACK from the server.

The funny thing is that our Linux users never ever had this problems. A
look in the logs shows that they working in a port range from 45000 -
52000 ... our windows users working in an 1500 - 2500 range .. dont know
if this have anything to do with this story but it's interesting to see.

Because of a testing area everything is permittet in this scenario,
there are no rules which block or reject anything.

So i did the 19.6. "Troubleshooting Firewall Rules" and found the
following ...

__ last 50 filter log entries ______________________________________

May 23 09:42:48 m0n0wall ipmon[93]: 09:42:47.900011 em1 @0:25 b
172.xx.xx.198,1089 -> 80.xxx.xxx.10,80 PR tcp len 20 515 -AP IN
May 23 09:42:48 m0n0wall ipmon[93]: 09:42:48.176592 em1 @0:25 b
172.xx.xx.198,1089 -> 80.xxx.xxx.10,80 PR tcp len 20 40 -A IN
May 23 09:42:49 m0n0wall ipmon[93]: 09:42:49.006471 em1 @0:25 b
172.xx.xx.198,1105 -> 80.xxx.xxx.10,80 PR tcp len 20 507 -AP IN
May 23 09:42:49 m0n0wall ipmon[93]: 09:42:49.351885 em1 @0:25 b
172.xx.xx.198,1105 -> 80.xxx.xxx.10,80 PR tcp len 20 40 -A IN
May 23 09:43:36 m0n0wall ipmon[93]: 09:43:35.978912 em1 @0:25 b
172.xx.xx.198,1089 -> 80.xxx.xxx.10,80 PR tcp len 20 515 -AP IN
May 23 09:43:36 m0n0wall ipmon[93]: 09:43:36.377665 em1 @0:25 b
172.xx.xx.198,1089 -> 80.xxx.xxx.10,80 PR tcp len 20 40 -A IN
May 23 09:43:37 m0n0wall ipmon[93]: 09:43:36.984680 em1 @0:25 b
172.xx.xx.198,1105 -> 80.xxx.xxx.10,80 PR tcp len 20 507 -AP IN
May 23 09:43:37 m0n0wall ipmon[93]: 09:43:37.545967 em1 @0:25 b
172.xx.xx.198,1105 -> 80.xxx.xxx.10,80 PR tcp len 20 40 -A IN


__ ipfstat -nio ____________________________________________________

@25 block in log quick proto tcp from any to any


__ unparsed ipfilter rules _________________________________________

# Block TCP packets that do not mark the start of a connection
skip 1 in proto tcp all flags S/SAFR
block in log quick proto tcp all


What's this? Why does this rule come in action? I really got no idea ..

Thanks ...

Andreas Goertz