We have not released 7RC4 yet. You probably run BETA4. An upgrade to
7RC1 or 7RC2 in the next few days fixes all known TCP bugs.
Other than that it looks like your PF rule set may be not entirely
correct. Please post your pf.conf.
--
Andre
> in the daily security email I get dozens of messages like this, also to
> other tcp ports (e.g. 80)
>
> default-values for:
> net.inet.tcp.syncache.rst_on_sock_fail: 1
> net.inet.tcp.syncache.rexmtlimit: 3
> net.inet.tcp.syncache.hashsize: 512
> net.inet.tcp.syncache.count: 0
> net.inet.tcp.syncache.cachelimit: 15360
> net.inet.tcp.syncache.bucketlimit: 30
>
>
> Can anybody help me out of this?
_______________________________________________
freeb...@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net...@freebsd.org"
Yeah of course, I mean BETA4. uname says: 7.0-PRERELEASE
Which tag is the best?
currently I use release=cvs tag=RELENG_7. Will I get with this 7RC..?
> Other than that it looks like your PF rule set may be not entirely
> correct. Please post your pf.conf.
expect the filter-rules this is the top of my pf.conf
<some macros>
set timeout { interval 30, frag 10 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
# Normalisierung
#scrub in all
set optimization normal
set block-policy return
....
Oskar
Yes. Please cvsup and recompile your kernel.
>> Other than that it looks like your PF rule set may be not entirely
>> correct. Please post your pf.conf.
>
>
> expect the filter-rules this is the top of my pf.conf
>
> <some macros>
>
> set timeout { interval 30, frag 10 }
> set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
> set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
> set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
> set timeout { icmp.first 20, icmp.error 10 }
> set timeout { other.first 60, other.single 30, other.multiple 60 }
>
>
> # Normalisierung
> #scrub in all
>
> set optimization normal
> set block-policy return
This information is insufficient to see what happens in PF. I need to
see the actual firewall, nat and rdr rules. You can send them to me by
private mail (entire pf.conf).
--
Andre
Really, if he wants to get -RC1, he should cvsup tag=RELENG_7_0.
RELENG_7 still identified as -PRERELEASE.
--
Dixi.
Sem.