On Thu, 19 Apr 2001, suxm wrote:

> hello, everyone.
> 
> Please think over the following figure.
> 
>             client           NetBSD Firewall           server
>             ------          ----------          ------
>    1.        SYN----------- - - - - - - - - - ->
>    2.           <------------SYN-ACK(cookie)
>    3.        ACK----------- - - - - - - - - - ->
>    4.           - - - - - - -SYN--------------->
>    5.           <- - - - - - - - - ------------SYN-ACK
>    6.           - - - - - - -ACK--------------->
> 
>    7.           -----------> relay the  ------->
>                 <----------- connection <-------
> 
>    1. A SYN is sent from C(client) to S(server)
>    2. The firewall acts as S to respond a SYN-ACK with SYN cookie.
>    3. C send the ACK. Then the connection should be established.

Again, what happens if the ACK packet sent in step 3 is dropped?  It is
the server's responsibility to resend the SYN-ACK (step 2) if it
doesn't receive an ACK from the client within a certain period of
time.  Since there is no state on the server, it cannot resend the
SYN-ACK packet.  Connections won't setup in this case, and the client will
hang, waiting for events which never occur.

Both sommerfeld@orchard.arlington.ma.us and thorpej@zembu.com,
along with many others on this list and other lists, have mentioned
this issue more than once.  If you have a solution to this problem, then
great - let's hear it!  I'm all for improvements!

-
Jon
 --------------------------------------------------------------------
 - The opinions expressed are not necesarily those of my employer.
   "I wonder how many people actually read my .sig?"