On Fri, 20 Aug 2004, Frederick Page wrote:
> Fred Wright schrieb am 19. August 2004:
> >>>>1395 @14 skip 1 in proto tcp from any to any flags S/FSRA
> >>>> 79 @15 block in log quick proto tcp from any to any
> >>>>1040 @16 block in log quick on sis0 from any to any head 100
> >it also is unlikely to have an operational impact
> You are of course right, I experienced a lot of trouble with
> transfers lately and blamed blocked packets from rule 15 for these
> troubles. This was obviously premature, since the transfers are fine
> today and I've changed nothing in my setup.
It could still be the same bug. The window-scale bug hit quite
frequently, but only a small percentage of cases met the other conditions
for hanging the connection.
> >>As I said: rule 15 only does harm here
> I was wrong here too :-( Rule 15 did indeed block some wanted traffic,
> but it also blocks junk that I definately do NOT want.
Well, removing 14 and 15 doesn't eliminate *filtering*, it just eliminates
*stateful* filtering. So you'd still be protected from the usual crap
like infected Windows machines banging on ports 135, 445, etc. But I'm
not really recommending doing that.
> >Can you collect simultaneous packet traces from both sides of the
> >m0n0wall when this happens? I only see that symptom sporadically
> Meanwhile it's also sporadically here. As I said before: I had some
> troubles here (cause unknown, but gone now) and quite a pile-up of
> blocked packets and slow transfer-rates. I simply did not analyze
> enough and blamed rule 15 prematurely :-/
Traces of blocked legitimate packets might be informative even in cases
without visible symptoms. But it's not that simple to set up.