> Not sure if this should be reported as a bug or not, so please bear with me. > A "scrub on $ext_if reassemble tcp" will deny some SuSE clients access to some > Microsoft IIS webservers. This appears to be an issue with SuSE's latest > kernel (2.4.20-100) only. > I'm not sure it it's the IIS servers themselves or some other strange things > happening, but the following sites (using IIS, according to netcraft.com) > cannot be browsed : > www.zmag.org > www.svd.se > www.dustin.se > www.xp-data.com > www.itpower.se > The Windows, Mac and OpenBSD clients behind the firewall can access those > sites just fine.
Can you get me a tcpdump capture of a problem connection? If I had to guess at the problem with absolutely no data (and that's what I'm doing), SuSE's kernel has sign problems when comparing the TCP timestamps. 'reassemble TCP' will modulate the TCP timestamp values with a random value. Windows NT will start with a zero timestamp on the SYN|ACK and then use a random value for it after the handshake (oddly enough, OpenBSD and Windows are the only OSes that use a secure value). PF will add a random number to it so SuSE will see the timestamp jump from $PF_RAND to $PF_RAND + $WINDOWS_RAND after the handshake. The timestamp standard says to drop TCP packets with an old timestamp. If there are sign problems, the value could appear negative and all packets could appear to be older. The other remote possibility is that something sets the timestamp to zero when they stop echoing the timestamp and PF doesn't honor that zero. I can't remember if that was only on ACKs or if it is legal. Anyway. I need a pcap. .mike
