Re: PF NAT and Oracle/Linux mystery

2003-01-22 Thread Daniel Hartmeier
On Sat, Jan 18, 2003 at 01:57:17PM +, Steve Schmitz wrote: > If you consider gigabit/copper a fast network and can suggest > experiments/meassurements, I'll be happy to conduct them. TCP window scaling support has been commited to -current (pf.c 1.306). If you have a spare box to install -cu

Re: PF NAT and Oracle/Linux mystery

2003-01-18 Thread Mike Frantzen
> >We could add a "strip-wscale" option to scrub. It doesn't solve > >the state pickup issue, but could prevent clients communicating > >through the firewall from negotiating this option. > Does the Linux NAT code already do this? Linux's stock state code doesn't track sequence numbers. .mike

Re: PF NAT and Oracle/Linux mystery

2003-01-18 Thread Steve Schmitz
Maybe someone with experience in fast networks can comment on how average packet loss and latency affect the maximum TCP window you might want to use. With an MTU of 1500 or lower, over the Internet, do your windows actually go beyond 65535 bytes, even if you enable scaling? We have a (partly) gi

Re: PF NAT and Oracle/Linux mystery

2003-01-18 Thread Daniel Hartmeier
Another problem with very large window sizes is that it becomes more easy for an attacker to guess valid sequence numbers. With window scaling, the maximum shift is 14 (as per RFC 1323), so the window might become as large as 65535*2^14=1GB. Sequence numbers are 32-bit unsigned integers, so if bot

Re: PF NAT and Oracle/Linux mystery

2003-01-18 Thread Daniel Hartmeier
On Sat, Jan 18, 2003 at 08:42:04AM +, Steve Schmitz wrote: > Does the Linux NAT code already do this? Possibly, but I'll have to check the source code to verify. It could either strip the option or set any scale factors inside the option to zero. But doing that is not much simpler than actual

Re: PF NAT and Oracle/Linux mystery

2003-01-18 Thread Steve Schmitz
We could add a "strip-wscale" option to scrub. It doesn't solve the state pickup issue, but could prevent clients communicating through the firewall from negotiating this option. Does the Linux NAT code already do this? We tried and temporarily split up our combined firewall/NAT machine into tw

Re: PF NAT and Oracle/Linux mystery

2003-01-17 Thread kjell
> Return-Path: [EMAIL PROTECTED] > Delivery-Date: Fri Jan 17 14:46:14 2003 > If the client supports the extention, it will add a TCP option to its > initial SYN packet, indicating its support (and supplying its own scale > factor). If the peer also supports the extention, it will add its own > TCP

Re: PF NAT and Oracle/Linux mystery

2003-01-17 Thread Stefan Paletta
Daniel Hartmeier wrote/schrieb/scripsit: > I guess we could add support for the case where pf does see the > handshake, but this is the first time I see this problem reported, maybe > RFC 1323 adoption isn't that broad. Let's not do the ECN mistake again. -Stefan

Resolved: PF NAT and Oracle/Linux mystery

2003-01-17 Thread Steve Schmitz
Hi Daniel, hi Mike, and the others. Thank you very very much for your help! Now I know what caused the problem (TCP Window Scaling) and how to fix it ("echo 0 > /proc/sys/net/ipv4/tcp_window_scaling" on the clients), all without requiring access to the Oracle server machine, and without measure

Re: PF NAT and Oracle/Linux mystery

2003-01-17 Thread Daniel Hartmeier
On Fri, Jan 17, 2003 at 02:01:39PM +, Steve Schmitz wrote: > Any idea why they do this? The TCP header has only space to hold a 16-bit unsigned number to hold the window value, so windows are traditionally limited to 65535 bytes, which can limit performance on fast networks. RFC 1323 (http:/

Re: PF NAT and Oracle/Linux mystery

2003-01-17 Thread Steve Schmitz
You mentioned the behavior depends on the OS (and application) of the server. When Oracle runs on Solaris, it works. And when you connect to the Linux Oracle to another service (ssh, etc.), it works, too? I am not allowed to log into Linux/Oracle server. I tried with netcat on a sister machine

Re: PF NAT and Oracle/Linux mystery

2003-01-17 Thread Mike Frantzen
> You mentioned the behavior depends on the OS (and application) of the > server. When Oracle runs on Solaris, it works. And when you connect to > the Linux Oracle to another service (ssh, etc.), it works, too? If > that's the case, I wonder whether the Oracle on Linux is configured to > use any TC

Re: PF NAT and Oracle/Linux mystery

2003-01-17 Thread Daniel Hartmeier
On Fri, Jan 17, 2003 at 07:51:29AM +, Steve Schmitz wrote: > The firewall is running not quite the newest version of OpenBSD/PF (a 3.2 > beta). Is it advisable to upgrade, given the interruption in service? I doubt it will make a difference, as that part of the code (the sequence number trac

Re: PF NAT and Oracle/Linux mystery

2003-01-16 Thread Steve Schmitz
Could be fragments. Can you try with scrub in on $ext_if all no-df scrub out on $ext_if all no-df If you run pfctl -si, do you see any of the 'Counters' at the bottom increase when you get a stalled connection? Also, can you enable debug loggin (pfctl -x m) and check /var/log/messages for re

Re: PF NAT and Oracle/Linux mystery

2003-01-16 Thread Daniel Hartmeier
On Thu, Jan 16, 2003 at 02:54:29PM +, Steve Schmitz wrote: > Any ideas? Could be fragments. Can you try with scrub in on $ext_if all no-df scrub out on $ext_if all no-df If you run pfctl -si, do you see any of the 'Counters' at the bottom increase when you get a stalled connection? Als

PF NAT and Oracle/Linux mystery

2003-01-16 Thread Steve Schmitz
Hi, I have a problem with access to an Oracle database over an OpenBSD PF NAT setup. We (a particle physics institute) have a Linux cluster for our computations; the nodes have private IP addresses and contact the outside world via an OpenBSD/PF NAT machine. The NAT machine works perfectly fine