Why does it hang with reassemble tcp?

Mon, 22 Sep 2003 13:30:45 -0700 

  Hello.
  
  I have a problem with one specific host.
  
  When I try to connect from an host behind my OpenBSD 3.4-current NAT
gateway to www.dingologos.com, no TCP session can actually be established if
I have the following rule :

scrub on $if_ext proto tcp all fragment reassemble reassemble tcp

  If I remove "reassemble tcp", everything works.
  
  www.dingologos.com is the only host that have that behavior. Maybe they
have a broken firewall that filters out something that shouldn't be filter,
but what?

  Here's a tcpdump output (m133.net... is the external address of my
gateway) of a connection that can't be established :
  
22:18:25.734672 0:80:ad:97:92:c8 8:0:3e:16:70:48 ip 74: 
m133.net81-67-152.noos.fr.56226 > www.dingologos.com.www: SWE 3623275979:3623275979(0) 
win 5840 <mss 1460,sackOK,timestamp 3071243284 1435020070,nop,wscale 0>
22:18:25.792842 8:0:3e:16:70:48 0:80:ad:97:92:c8 ip 66: www.dingologos.com.www > 
m133.net81-67-152.noos.fr.56226: . ack 3623275980 win 17520 <nop,nop,timestamp 
45353006 3071243284> (DF)
22:18:27.061249 8:0:3e:16:70:48 0:80:ad:97:92:c8 ip 78: www.dingologos.com.www > 
m133.net81-67-152.noos.fr.64226: S 4174067108:4174067108(0) ack 3367519756 win 17520 
<mss 1460,nop,wscale 0,nop,nop,timestamp 0 0,nop,nop,sackOK> (DF)
22:18:28.367135 0:80:ad:97:92:c8 8:0:3e:16:70:48 ip 74: 
m133.net81-67-152.noos.fr.55513 > www.dingologos.com.www: SWE 235354528:235354528(0) 
win 5840 <mss 1460,sackOK,timestamp 2952341031 0,nop,wscale 0>
22:18:28.559636 8:0:3e:16:70:48 0:80:ad:97:92:c8 ip 78: www.dingologos.com.www > 
m133.net81-67-152.noos.fr.55513: S 3594166562:3594166562(0) ack 235354529 win 17520 
<mss 1460,nop,wscale 0,nop,nop,timestamp 0 0,nop,nop,sackOK> (DF)
22:18:28.560033 0:80:ad:97:92:c8 8:0:3e:16:70:48 ip 54: 
m133.net81-67-152.noos.fr.55513 > www.dingologos.com.www: R 235354529:235354529(0) win 0
22:18:31.366010 0:80:ad:97:92:c8 8:0:3e:16:70:48 ip 74: 
m133.net81-67-152.noos.fr.55513 > www.dingologos.com.www: SWE 235354528:235354528(0) 
win 5840 <mss 1460,sackOK,timestamp 2952344031 4213757495,nop,wscale 0>
22:18:31.533942 8:0:3e:16:70:48 0:80:ad:97:92:c8 ip 78: www.dingologos.com.www > 
m133.net81-67-152.noos.fr.55513: S 3595794307:3595794307(0) ack 235354529 win 17520 
<mss 1460,nop,wscale 0,nop,nop,timestamp 0 0,nop,nop,sackOK> (DF)
22:18:34.521515 8:0:3e:16:70:48 0:80:ad:97:92:c8 ip 78: www.dingologos.com.www > 
m133.net81-67-152.noos.fr.55513: S 3595794307:3595794307(0) ack 235354529 win 17520 
<mss 1460,nop,wscale 0,nop,nop,timestamp 0 0,nop,nop,sackOK> (DF)
22:18:35.875271 0:80:ad:97:92:c8 8:0:3e:16:70:48 ip 74: 
m133.net81-67-152.noos.fr.64226 > www.dingologos.com.www: SWE 3367519755:3367519755(0) 
win 5840 <mss 1460,sackOK,timestamp 1527320421 487621199,nop,wscale 0>
22:18:35.981911 8:0:3e:16:70:48 0:80:ad:97:92:c8 ip 66: www.dingologos.com.www > 
m133.net81-67-152.noos.fr.64226: . ack 1 win 17520 <nop,nop,timestamp 45348521 
1527320421> (DF)

  Best regards,

-- 
                       Let internet explore your host
                    http://www.pivx.com/larholm/unpatched/

Reply via email to