Hosting Provided By

kernel/2949: pf and modulate state fails with some sites

From: <jwilkins(at)bitland.net>
Date: Sun Oct 06 2002 - 17:02:57 EDT

>Number: 2949
>Category: kernel
net
>Environment:

	System      : OpenBSD 3.1
	Architecture: OpenBSD.i386
	Machine     : i386

>Description:

	A pf ruleset using modulate state worked almost perfectly.  The 
	exceptions were few and far between, which is why this took me
	a little while to figure out.  Some sites (Hotmail.com for example)
	seem to react poorly to whatever modulate state does.  This results
	in a packet that the client sends where the sequence number is out 
	of range.  The corresponding RST is ignored, since it's out of range
	too.  Switching the modulate state to a simple keep state seems to
	have resolved the issue.

>How-To-Repeat:

	use a modulate state rule for outbound tcp traffic.  Sign in to a 
	hotmail.com account.  The signin part (with passport) works, but 
	actually getting into the hotmail pages fails.  (everything times out)

>Fix:

	Sorry, not familiar enough with the pf codebase.

>Release-Note:
Received on Thu Nov 7 16:55:36 2002

This message: [ Message body ]
Next message: chris(at)jtan.com: "i386/2944: Fix for fxp Net device to support Intel D845GRG P4 Motherboard"
Previous message: fransoa holop: "kernel/2950: /sys/arch/i386/Makefile"
In reply to hamajima(at)nagoya.ydc.co.jp: "kernel/2876: pf does not check v6 header in v6 option header"
Reply: Mike Frantzen: "Re: kernel/2949: pf and modulate state fails with some sites"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 13:29:37 EDT