Re: Windows Vista and ipfilter servers

------=_Part_10_9300874.1177571177109
Content-Type: multipart/alternative;
boundary="----=_Part_11_23255376.1177571177109"

------=_Part_11_23255376.1177571177109
Content-type: text/plain
Content-Transfer-Encoding: 7bit

I have found something that makes it work again, but also makes me think I need some clarification about my ipf configuration file.
For years I had my customers ipf.conf with a region defining the public ports to be available for public services like this:
pass in quick on [public-if] proto tcp from any to [public-ip]/32 port = 22
and it worked until I got to Windows Vista. Now, it works if I change it to:
pass in quick on [public-if] proto tcp from any to [public-ip]/32 port = 22
keep state
Why?
And also: why this doesn't seem to happen on port 25? Running a telnet on port 25 the manual smtp session seems to work.
How do I have to use this "keep state" actually ?
Finally, how and when should I add the "flags S" ?
I think that this is something that is causing also another issue I got with some "timeout sending data" on Postfix when trying to comunicate with specific destinations.
I'm a bit confused....
Thanx for any help.
Gabriele.
Gabriele Bulfon - Sonicle S.r.l.
Tel +39 028246016 Int. 30 - Fax +39 028243880
Via Felice Cavallotti 16 - 20089, Rozzano - Milano - ITALY
http://www.sonicle.com
----------------------------------------------------------------------------------
Da: Jefferson Ogata <Jefferson.Ogata@noaa.gov>
A: ipfilter@coombs.anu.edu.au
Data: 23 aprile 2007 18.14.32 CEST
Oggetto: Re: Windows Vista and ipfilter servers
On 2007-04-23 10:26, Gabriele Bulfon wrote:
> I have more data:
> - Some servers run fine, and there I have the original IPFilter that
> comes with Solaris 10
> - The ones that fail, are those that I upgraded to IPFilter 4.1.9 or
> 4.1.10 by rebuilding from sources (something was not correctly working
> on AMD installations, so I had to upgrade).
>
> What I don't understand, is why this problem comes up only if I connect
> through Vista, and only on some ports.
Maybe you have TCP window issues, or maybe Vista uses ECN in a way your
ipfilter config doesn't allow for.
I recommend you examine TCP flags and options in your packet traces to
see if there's a difference there between XP and Vista.
--
Jefferson Ogata <Jefferson.Ogata@noaa.gov>
NOAA Computer Incident Response Team (N-CIRT) <ncirt@noaa.gov>
"Never try to retrieve anything from a bear."--National Park Service

------=_Part_11_23255376.1177571177109
Content-type: text/html
Content-Transfer-Encoding: quoted-printable

<HTML>
<BODY>
<FONT face=3DArial><div><font face=3D"Arial">I have found something that ma=
kes it work again, but also makes me think I need some clarification about =
my ipf configuration file.<br>For years I had my customers ipf.conf with a =
region defining the public ports to be available for public services like t=
his:<br><br>pass in quick on [public-if] proto tcp from any to [public-ip]/=
32 port =3D 22<br><br>and it worked until I got to Windows Vista. Now, it w=
orks if I change it to:<br><br></font><font face=3D"Arial">pass in quick on=
[public-if] proto tcp from any to [public-ip]/32 port =3D 22</font><font f=
ace=3D"Arial"> keep state<br><br>Why?<br>And also: why this doesn't seem to=
happen on port 25? Running a telnet on port 25 the manual smtp session see=
ms to work.<br>How do I have to use this "keep state" actually ?<br>Finally=
, how and when should I add the "flags S" ?<br>I think that this is somethi=
ng that is causing also another issue I got with some "timeout sending data=
" on Postfix when trying to comunicate with specific destinations.<br>I'm a=
bit confused....<br><br>Thanx for any help.<br>Gabriele.<br></font><div><f=
ont face=3D"Arial"><br>
<table border=3D"1" cellspacing=3D"0">
<tbody><tr>
<td align=3D"right"><a target=3D"_blank" href=3D"http://www.sonicle.com">
<img src=3D"http://www.sonicle.com/images/mailcard.jpg" wid=3D"" th=3D"350"=
border=3D"0" height=3D"45"></a></td>
</tr>
<tr>
<td align=3D"right">
<font face=3D"Arial" size=3D"1">
Gabriele Bulfon - Sonicle S.r.l.<br>
Tel +39 028246016 Int. 30 - Fax +39 028243880<br>
Via Felice Cavallotti 16 - 20089, Rozzano - Milano - ITALY<br>
<a href=3D"http://www.sonicle.com">http://www.sonicle.com</a>
</font>
</td>
</tr>
</tbody></table></font></div><font face=3D"Arial"><tt><br><br><br>---------=
-------------------------------------------------------------------------<b=
r><br>Da: Jefferson Ogata &lt;Jefferson.Ogata@noaa.gov&gt;<br>A: ipfilter@c=
oombs.anu.edu.au <br>Data: 23 aprile 2007 18.14.32 CEST<br>Oggetto: Re: Win=
dows Vista and ipfilter servers<br><br></tt></font><blockquote style=3D"bor=
der-left: 2px solid rgb(0, 0, 128); margin-left: 5px; padding-left: 5px;"><=
font face=3D"Arial"><tt>On 2007-04-23 10:26, Gabriele Bulfon wrote:
<br>&gt; I have more data:
<br>&gt; - Some servers run fine, and there I have the original IPFilter th=
at
<br>&gt; comes with Solaris 10
<br>&gt; - The ones that fail, are those that I upgraded to IPFilter 4.1.9 =
or
<br>&gt; 4.1.10 by rebuilding from sources (something was not correctly wor=
king
<br>&gt; on AMD installations, so I had to upgrade).
<br>&gt;=20
<br>&gt; What I don't understand, is why this problem comes up only if I co=
nnect
<br>&gt; through Vista, and only on some ports.
<br>
<br>Maybe you have TCP window issues, or maybe Vista uses ECN in a way your
<br>ipfilter config doesn't allow for.
<br>
<br>I recommend you examine TCP flags and options in your packet traces to
<br>see if there's a difference there between XP and Vista.
<br>
<br>--=20
<br>Jefferson Ogata &lt;Jefferson.Ogata@noaa.gov&gt;
<br>NOAA Computer Incident Response Team (N-CIRT) &lt;ncirt@noaa.gov&gt;
<br>"Never try to retrieve anything from a bear."--National Park Service
<br>
<br><br><br></tt></font></blockquote></div><font face=3D"Arial"> =
</font></FONT>
</BODY>
</HTML>
------=_Part_11_23255376.1177571177109--

------=_Part_10_9300874.1177571177109--