CFW drops incoming connections - Resolved!

fmverv · February 15, 2008, 2:34am

All,

After several weeks of struggling with CWF dropping incoming packets I’ve finally resolved the issue. I’m posting the results here in case someone else has the same problem. I’ve made two other posts on this issue but started a new thread so you don’t have to read through several posts to get the answer.

*** The Symptom:
CFW 3.0.17.304 and earlier drops incoming connections that originate from my linux based router. Forwarded incoming connections are usually OK. This means that connections tunneled through SSH or VPN on the router get dropped by the PC running CFW on my home network.

*** The Problem:
CFW apparently drops incoming connections that have Explicit Congestion Notification (ECN) enabled.
The connections appear to be dropped before the incoming packets even reach the Global Rules so you never get a log entry that packets are being dropped.

ECN allows a router to notify a sending system that it is experiencing congestion so the sending system backs off before the congestion gets bad enough that the router starts dropping packets.

There is a good article on ECN at: The Cable Guy - October 2006 | Microsoft Learn

Basically when an ECN capable system initiates a TCP connection is sets SYN, ECN, & CWR flags in the TCP header.
If the target is ECN capable is replies with SYN, ACK, ECN. If not then it just replies with SYN, ACK.

I have loaded 3rd party firmware (dd-wrt) onto my router. It’s linux based and uses the version 2.4 kernel. The router firmware supports ECN and has it enabled by default. Windows prior to Vista does not support ECN, Vista supports it but has it disabled.

*** The Fix:
In the linux 2.4 kernel, ECN can be disabled with the following command:
echo “0” > /proc/sys/net/ipv4/tcp_ecn (This is what I used.)
If you experience this issue try placing the above command in your startup script.

After disabling ECN, incoming connections from the router work properly!!!

I’ve also placed this information in the Bug report section of the forum and hopefully Comodo will fix the firewall so it works with ECN.

Frank

panic · February 15, 2008, 2:43am

Top job Sherlock! On behalf of the other CFP users, thank you for your perserverance on this issue.

Interesting that CFP drops ECN prior to logging the drop. Egemen? Are you listening here??

OK with you if we paraphrase your post and turn it into an FAQ entry with ECN in the subject (to facilitate searching)?

Again, thanks a bunch!
Ewen

fmverv · February 15, 2008, 8:19pm

Ok with me! Hope this can help others!!!
Frank