Re: Comcast is using Sandvine to manage P2P Connections

Author	All Replies
Anonymous Coward @teksavvy.com	reply to funchords Re: Comcast is using Sandvine to manage P2P Connections Has anyone tried configuring their firewall to block incoming RST packets? While this may lead to a lot of stale TCP connections hanging around until they time out (typical timeouts are 5-10 minutes), it may alleviate some of the problems Robb has reported. Alternatively, if the bogus RST packets could somehow be characterized (e.g. empty message body), then perhaps the firewall could be configured to block only these types of RST packets. I guess the next question is whether or not there are any software firewalls with sufficient flexibility to allow this type of filtering?
	to forum · permalink · 2007-07-20 23:26:51 ·
NormanS Premium,MVM join:2001-02-14 San Jose, CA ·Pacific Bell - SBC	said by Anonymous Coward : I guess the next question is whether or not there are any software firewalls with sufficient flexibility to allow this type of filtering? The two non-Windows firewalls I worked with could filter by TCP, or UDP, by IP address and by port number; but I don't recall that either could check for RST packets. I haven't played with the Windows firewall. My router firewall can't check that low. -- Norman ~Oh Lord, why have you come ~To Konnyu, with the Lion and the Drum
	to forum · permalink · · 2007-07-21 03:15:19 ·
Cabal Premium join:2007-01-21 Boston, MA	reply to Anonymous Coward said by Anonymous Coward : Has anyone tried configuring their firewall to block incoming RST packets? I guess the next question is whether or not there are any software firewalls with sufficient flexibility to allow this type of filtering? I have not (since I haven't seen this behavior), but any of the UNIX-based firewalls can filter using TCP header, as can OS X (FreeBSD's ipfw), and I'm sure any of the enterprise-grade hardware firewalls. It can probably be done with the Linux-based Linksys routers through the commandline interface. I'd be interested to hear of any others. -- Interested in open source engine management for your Subaru?
	to forum · permalink · · 2007-07-21 09:36:49 ·
anonymim @comcast.net	If anybody figures out how to try this firewall filtering with a DD-WRT firmware-flashed Linksys, please post instructions here. I'm about to get kicked off several legal (live-music-sharing) torrent trackers for my piss-poor ratio.
	to forum · permalink · 2007-07-21 16:52:18 ·
no oper @comcast.net	reply to Anonymous Coward said by Anonymous Coward : Has anyone tried configuring their firewall to block incoming RST packets? Yes! On linux, if you're using a static port for bittorrent, the following command drops incoming reset packets to that port. iptables -A INPUT -p tcp --dport PORTNUMBERHERE --tcp-flags RST RST -j DROP I also noticed, that bit 6 of the IP TOS field was set on all these reset packets. As per the ipv4 rfc, bit 6 is "Reserved for future use". tcpdump shows these packets with tcpdump -n "ip[1] & 0xff == 0x40" Since that field is not in use, tcpdump should never show any packets with that filter. But it does on comcast! Could someone else on comcast plese verify that they can see these too? iptables 1.3.5 tcpdump version 3.9.4 libpcap version 0.9.4 linux 2.6.20.1
	to forum · permalink · 2007-07-21 22:00:51 ·
funchords Robb Premium,MVM join:2001-03-11 Hillsboro, OR ·Verizon Online DSL ·Skype ·Comcast	reply to Anonymous Coward said by Anonymous Coward : Has anyone tried configuring their firewall to block incoming RST packets? Yes, I tried this with linux iptables, and got really excited when it seemed to thwart the problem. But then I realized that the connections were dead, but they simply weren't being removed from the active list. I believe this means that the RST is sent both ways. The response to an RST is not a FIN so the TCP/IP stack doesn't know the connection has been dropped. Good thinking, though. said by no oper : I also noticed, that bit 6 of the IP TOS field was set on all these reset packets. I hadn't noticed. They could have been set, or not. Are you directly connected? -- or could your router be adding that bit for use on the LAN? -- Robb Topolski -= funchords.com =- Hillsboro, Oregon USA ~ Keeper of the D-Link FAQ ~ Did you Search? ~ More features, Free! Join BBR! ~
	to forum · permalink · · 2007-07-22 20:39:54 ·
no oper @comcast.net	said by funchords : I hadn't noticed. They could have been set, or not. Are you directly connected? -- or could your router be adding that bit for use on the LAN? I'm not directly connected, there's a router on the way, but this bit is set only on the reset packets I'm receiving on the bittorrent connections and nowhere else.
	to forum · permalink · 2007-07-22 22:08:15 ·
koitsu Premium join:2002-07-16 Mountain View, CA	reply to funchords said by funchords : I believe this means that the RST is sent both ways. The response to an RST is not a FIN so the TCP/IP stack doesn't know the connection has been dropped. Correct . See the below stateful diagram (PDF): »www.cse.iitb.ac.in/perfnet/cs456···diag.pdf -- Making life hard for others since 1977. I speak for myself and not my employer/affiliates of my employer.
	to forum · permalink · · 2007-07-23 10:36:56 ·


Monday, 17-Nov 23:06:50	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 9 years online! © 1999-2008 dslreports.com. republican-creole page compression OFF