Running a pair of OpenBSD-4.8-boxes as NAT-Firewall between public Internet and some Linux-webservers in a DMZ basically works fine so far.
But this week a client enabled RFC-1323 and his http/https-access to our webservers didn't work any more and all he got was an ICMP-unreachable with un-NATed source-address. As a workaround he provisionally disabled this option. There is of course the other workaround to switch off tcp-windowsscaling, etc. on every box but I hope to find a configuration that it works through the NAT-box. I read some papers on OpenBSD's website but I'm still a bit confused about all those scrub- and state-control-rules (with and without renumbering), so it seems to be the right time for another testbed. Problem: How can I simulate an http/https-access with enabled RFC-1323-options? TIA, Tobias.
