k_deftl 2.4.20-100 problems accessing IIS sites through OpenBSD 3.4 Beta firewall
SuSE clients running k_deftl kernel 2.4.20-100 have problems accessing some Microsoft IIS web servers, if they are behind an OpenBSD 3.4 Beta firewall with packet normalizations using the new "reassemble tcp" option in "scrub". After reinstalling the default kernel for the 8.2 Pro from the DVD, the problem goes away. Non-IIS sites does not have this problem. Some more information about this option may be found (with URL broken in three lines) : http://www.openbsd.org/cgi-bin/man.cgi?query=pf.conf&apropos=0 &sektion=0&manpath=OpenBSD+Current&arch=i386&format=html #TRAFFIC+NORMALIZATION /Sigfred For your information, here is the e-mail I sent to the OpenBSD packet filter mailing list : Not sure if this should be reported as a bug or not, so please bear with me. A "scrub on $ext_if reassemble tcp" will deny some SuSE clients access to some Microsoft IIS webservers. This appears to be an issue with SuSE's latest kernel (2.4.20-100) only. I'm not sure it it's the IIS servers themselves or some other strange things happening, but the following sites (using IIS, according to netcraft.com) cannot be browsed : www.zmag.org www.svd.se www.dustin.se www.xp-data.com www.itpower.se While the following works www.mentice.com The Windows, Mac and OpenBSD clients behind the firewall can access those sites just fine. If I use "scrub on $ext_if", then there is no problems with SuSE clients. I rebuilt kernel/userland yesterday using -current.
participants (1)
-
Sigfred Håversen