Mailinglist Archive: opensuse-security (334 mails)

< Previous Next >
k_deftl 2.4.20-100 problems accessing IIS sites through OpenBSD 3.4 Beta firewall
  • From: Sigfred HÃ¥versen <suselist@xxxxxxxxx>
  • Date: Mon, 8 Sep 2003 22:49:49 +0200
  • Message-id: <200309082249.49588.suselist@xxxxxxxxx>
SuSE clients running k_deftl kernel 2.4.20-100 have problems accessing some
Microsoft IIS web servers, if they are behind an OpenBSD 3.4 Beta firewall
with packet normalizations using the new "reassemble tcp" option in "scrub".
After reinstalling the default kernel for the 8.2 Pro from the DVD, the
problem goes away. Non-IIS sites does not have this problem.

Some more information about this option may be found (with URL broken in three
lines) :

http://www.openbsd.org/cgi-bin/man.cgi?query=pf.conf&apropos=0
&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html
#TRAFFIC+NORMALIZATION


/Sigfred



For your information, here is the e-mail I sent to the OpenBSD packet filter
mailing list :



Not sure if this should be reported as a bug or not, so please bear with me.

A "scrub on $ext_if reassemble tcp" will deny some SuSE clients access to some
Microsoft IIS webservers. This appears to be an issue with SuSE's latest
kernel (2.4.20-100) only.

I'm not sure it it's the IIS servers themselves or some other strange things
happening, but the following sites (using IIS, according to netcraft.com)
cannot be browsed :

www.zmag.org
www.svd.se
www.dustin.se
www.xp-data.com
www.itpower.se

While the following works

www.mentice.com

The Windows, Mac and OpenBSD clients behind the firewall can access those
sites just fine.

If I use "scrub on $ext_if", then there is no problems with SuSE clients.

I rebuilt kernel/userland yesterday using -current.



< Previous Next >
This Thread
  • No further messages