[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[suse-security] k_deftl 2.4.20-100 problems accessing IIS sites through OpenBSD 3.4 Beta firewall



SuSE clients running k_deftl kernel 2.4.20-100 have problems accessing some 
Microsoft IIS web servers, if they are behind an OpenBSD 3.4 Beta firewall 
with packet normalizations using the new "reassemble tcp" option in "scrub". 
After reinstalling the default kernel for the 8.2 Pro from the DVD, the 
problem goes away. Non-IIS sites does not have this problem.

Some more information about this option may be found (with URL broken in three 
lines) :

http://www.openbsd.org/cgi-bin/man.cgi?query=pf.conf&apropos=0
&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html
#TRAFFIC+NORMALIZATION


/Sigfred



For your information, here is the e-mail I sent to the OpenBSD packet filter 
mailing list :



Not sure if this should be reported as a bug or not, so please bear with me.

A "scrub on $ext_if reassemble tcp" will deny some SuSE clients access to some 
Microsoft IIS webservers. This appears to be an issue with SuSE's latest 
kernel (2.4.20-100) only.

I'm not sure it it's the IIS servers themselves or some other strange things 
happening, but the following sites (using IIS, according to netcraft.com) 
cannot be browsed :

        www.zmag.org 
        www.svd.se 
        www.dustin.se 
        www.xp-data.com 
        www.itpower.se

While the following works

        www.mentice.com

The Windows, Mac and OpenBSD clients behind the firewall can access those 
sites just fine.

If I use "scrub on $ext_if", then there is no problems with SuSE clients.

I rebuilt kernel/userland yesterday using -current.



-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here