so your telling me that 3 hosts machines on my network running mac OS
10.4 and 10.5 tcp/ip stack is messed up?
On Oct 9, 2008, at 7:26 PM, Ermal Luçi wrote:
On Fri, Oct 10, 2008 at 2:01 AM, BSD Wiz <[EMAIL PROTECTED]> wrote:
going back a few weeks ago when i posted my issues getting to
subaru.com.. i
came across another site that i could not get to behind pfsense
(cisco.com).
i installed squid proxy and then i was able to get to subaru.com and
cisco.com
to refresh your memory, there are no rules blocking traffic on
port 80, i'm
on a cable modem, when on a shell on the firewall i can always
telnet over
port 80 to subaru.com but i cannot from my client machines. the
client sends
a syn but never receives the syn/ack from the firewall. however, the
firewall does in fact get the syn/ack back from the webserver.
finally to my question, what are you thoughts as to why the proxy
being
installed solved my issue?
Its simple as i said in a previous post problems might arise:
1- tcp mss
2- timestamps not handled correctly
3- sacks not handled propperly by the reciveing host
4- tcp options not correctly set by your host
...
Basically any part of a tcp header the pf checks for a state.
Now with squid that works cause the connection to the site is made
directly from pfSense which does know how to handle its own packets.
Mostly you seem to need more elaborate scrub rules for your hosts
which i suspect are having problmes with path mtu discovery(a guess).
best,
-phil
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
Ermal
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
