Skip navigation
This discussion is archived

SPI firewalls on third party routers may cause incorrect behavior

11622 Views 0 Replies Latest reply: Apr 21, 2010 1:38 PM by William Kucharski RSS
William Kucharski Level 6 Level 6 (14,425 points)
Currently Being Moderated
Apr 21, 2010 1:38 PM
Disclaimer: Apple does not necessarily endorse any suggestions, solutions, or third-party software products that may be mentioned in the topic below. Apple encourages you to first seek a solution at Apple Support. The following links are provided as is, with no guarantee of the effectiveness or reliability of the information. Apple does not guarantee that these links will be maintained or functional at any given time. Use the information below at your own discretion.



Some users have reported that image queries to sites such as Google Image Search, Google Maps and Bing do not display results in Snow Leopard. This is because of overaggressive "SYN Flood" protection in the firewalls of some third party routers.

When image results are to be displayed, Safari and Firefox make multiple simultaneous connections to the host to retrieve them. This is usually faster than downloading one and moving on to the next and on and on.

Safari in Mac OS X Snow Leopard may make as many as sixteen simultaneous connections to the Google image server's HTTP port within 0.0043 second to retrieve the data; in Mac OS X Leopard it may be as few as eight.

Some consumer-level SPI firewalls misinterpret the attempt to open that many simultaneous connections to one server as a "SYN flood" and block the traffic. Not good, especially when the connections are being made from your machine to an outside host, so the firewall is effectively blocking you from perpetrating what it thinks is a SYN flood.

Some Flickr users have experienced a similar issue.

If your router allows configuration of its SPI firewall, you may be able to solve this problem if it has a setting labeled something like:

Maximum incomplete TCP/UDP sessions number from same host

On those routers, this setting is often set to a default of "10"; simply increasing this value to a much higher value - many have had good luck with "20" - will allow accesses to work as desired and will also allow some room for possible future expansion in the number of simultaneous queries made.

If your router does not offer such a setting, there's no solution other than to disable the firewall.

Note that any operating system - Linux, Solaris, even perhaps Windows 7 - could trigger the same problem. You can even generate the same issue in Windows XP by applying "speed tweaks" such as this.

(Some explanation from Microsoft is available as well.)

In short, it's a bad assumption made on the part of the SPI firewall's designers, not by Apple.

This is the 1st version of this tip. It was submitted on April 20, 2010 by William Kucharski.
Do you want to provide feedback on this User Contributed Tip or contribute your own? If you have achieved Level 2 status, visit the User Tips Library Contributions forum for more information.
Quad 2.5 GHz G5, 5 GB | 15" 2.6 GHz MBP Penryn, 4 GB | 1 TB Dual-Band TC, Mac OS X (10.6.3)

Actions

More Like This

  • Retrieving data ...

Bookmarked By (1)

This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.