* Home Help Search Login Register  

Welcome, Guest. Please login or register.
Did you miss your activation email?
May 23, 2013, 09:25:44 PM

Login with username, password and session length

663841 Posts
70591 Topics
145225 Members
Latest Member: rafacand

more news...
Search:     Advanced search | Tag Cloud
+  Welcome to the Comodo Forum
|-+  Archived Boards
| |-+  Discontinued Products
| | |-+  Comodo Firewall
| | | |-+  Frequently Asked Questions (FAQ) for Comodo firewall
| | | | |-+  CFP drops VPN or SSH packets from Liunux router without logging		 « previous next »
Pages: [1] Go Down Print
Author Topic: CFP drops VPN or SSH packets from Liunux router without logging  (Read 6940 times)
panic
Global Moderator
Comodo's Hero
*****
Offline Offline

Posts: 11173


Linux is free only if your time is worthless.;-)
« on: February 15, 2008, 09:51:24 PM »
CFP drops VPN or SSH packets from Liunux router without logging

There have been several reports of dropped VPN or SSH connections, routed via a Linux based router, with no logs entries being created for the dropped connections.

A forum member (fmverv) has determined the root cause is that CFP does not correctly handle packets that have  Explicit Congestion Notification (ECN) enabled. He has documented the issue and the solution as follows;

*************************************************************

The Symptom:

CFW 3.0.17.304 and earlier drops incoming connections that originate from my linux based router.  Forwarded incoming connections are usually OK.  This means that connections tunneled through SSH or VPN on the router get dropped by the PC running CFW on my home network.

The Problem:

CFW apparently drops incoming connections that have Explicit Congestion Notification (ECN) enabled.
The connections appear to be dropped before the incoming packets even reach the Global Rules so you never get a log entry that packets are being dropped.

ECN allows a router to notify a sending system that it is experiencing congestion so the sending system backs off before the congestion gets bad enough that the router starts dropping packets.

There is a good article on ECN at: http://technet.microsoft.com/en-us/library/bb878122.aspx

Basically, when an ECN capable system initiates a TCP connection, it sets SYN, ECN, & CWR flags in the TCP header.
If the target is ECN capable, it replies with SYN, ACK, ECN.  If it isn't ECN compliant, then it just replies with SYN, ACK.

I have loaded 3rd party firmware (dd-wrt) onto my router.  It's linux based and uses the version 2.4 kernel.  The router firmware supports ECN and has it enabled by default.  Windows prior to Vista does not support ECN, Vista supports it, but it is disabled by default.

The Fix:

In the linux 2.4 kernel, ECN can be disabled with the following command:

echo "0" > /proc/sys/net/ipv4/tcp_ecn
(This is what I used on my Linux based router. Command syntax for other variants of router O/S kernel may vary.)

If you experience this issue try placing the above command in your startup script.

After disabling ECN, incoming connections from the router work properly!!!!

***************************************************************************

Many thanks to fmverv for his persistence in tracking down both the cause and the solution.

N.B. Minor spelling, grammar and style changes have been applied to fmverv's original posting
Logged
As your mums would say, "If you can't play nice with all the other kiddies, go home".
All users are asked to please read and abide by the  Comodo Forum Policy.
If you can't conform, don't use the forum.
Tags:
Pages: [1] Go Up Print 
« previous next »
Jump to:  

SSL Certificate Free Virus Removal Firewall
Page created in 0.041 seconds with 22 queries.
Powered by SMF 1.1.18 | SMF © 2006, Simple Machines Design by 7dana.com