supplement:

to remind of another fact already mentioned. Doing a "telnet www.bios-online.de 3389" works fine;
three-way TCP handshake completes.
Is there a transparent proxy in front of the webserver processing the requests (probably for
securing the iis)?
I can also make a packet capture of the successful rdp handshake - in the late afternoon ;-) *yawn*

- Frank

-----Ursprüngliche Nachricht-----
Von: Frank Peschel [mailto:frank dot peschel at nexgo dot de] 
Gesendet: Mittwoch, 20. Oktober 2004 01:21
An: m0n0wall at lists dot m0n0 dot ch
Betreff: AW: [m0n0wall] Incompatibility with Symantec's Velociraptor firewall ?

Hello Kai,

nice to be directly in contact with B.I.O.S..
Lets sum um. I have the problem, Axel has it and a friend of mine also. You couldn't reproduce the
problem. Did you test it with
M0n0wall doing NAT? The fact is: I receive an ACK after sending a SYN (see packet log). So what's
wrong with my SYN packet / your
firewall causing it to send ACK not SYN/ACK!?

Regards from Hofgeismar,

Frank

-----Ursprüngliche Nachricht-----
Von: Kai Dittmann [mailto:k dot dittmann at bios dash online dot de] 
Gesendet: Dienstag, 19. Oktober 2004 18:23
An: Frank Peschel
Cc: k dot dittmann at bios dash online dot de
Betreff: Re: [m0n0wall] Incompatibility with Symantec's Velociraptor firewall ?

Frank Peschel wrote:
> Dear all,
> 
> using M0n0wall Version 1.2b1 I encounter problems connecting to e.g. http://www.bios-online.de/ .



klappt hier momentan einwandfrei, auch hinter einer 1.2b1.
das verhalten der firewall kann kann ich im moment nicht
nachvollziehen (nicht die m0n0)


gruss aus Kassel,
--- Kai Dittmann (B.I.O.S. Media Secure GmbH)




> Sylog shows messages of the form:
> [DateTime] ipmon[69]: [Time] ng0 @0:31 b [WebServerIP],80 -> [InternalHostIP],[DynPort] PR tcp len
20 48 -A IN
> 
> Windows Terminal sessions ARE possible: rdp://www.bios-online.de
> 
> I've done a packet capture (see below). Seems all SYN's to port 80 are answered with ACK's instead
of SYN/ACK's
> Not using M0n0wall (Direct Dial-up / whatever) everything works fine and SYN's are answered
correctly by these servers. I believe
> the webserver ist behind a Symantec Velociraptor appliance.
> 
> M0n0wall acts correct when blocking the ACK packets because it works stateful and at this time the
TCP three-way-handshake is not
> complete. But what causes the other side to send ACK, not SYN/ACK !?
> 
> 
> Kind regards,
> - Frank
> 
> 
> 
> I've cut off Ethernet/PPPoE/PPP Headers. If anyone needs 'em, ask.
> Packets where sent/received by www.pixelconcept.de, another host concerned.
> Sent:
> --
> Internet Protocol, Src Addr: 217.238.203.251 (217.238.203.251), Dst Addr: 193.155.96.61
(193.155.96.61)
>      Version: 4
>      Header length: 20 bytes
>      Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
>           0000 00.. = Differentiated Services Codepoint: Default (0x00)
>           .... ..0. = ECN-Capable Transport (ECT): 0
>           .... ...0 = ECN-CE: 0
>      Total Length: 64
>      Identification: 0x2718 (10008)
>      Flags: 0x04 (Don't Fragment)
>           0... = Reserved bit: Not set
>           .1.. = Don't fragment: Set
>           ..0. = More fragments: Not set
>      Fragment offset: 0
>      Time to live: 127
>      Protocol: TCP (0x06)
>      Header checksum: 0x0cdd (correct)
>      Source: 217.238.203.251 (217.238.203.251)
>      Source or Destination Address: 217.238.203.251 (217.238.203.251)
>      Destination: 193.155.96.61 (193.155.96.61)
>      Source or Destination Address: 193.155.96.61 (193.155.96.61)
> Transmission Control Protocol, Src Port: 5148 (5148), Dst Port: http (80), Seq: 1238160347, Ack:
0, Len: 0
>      Source port: 5148 (5148)
>      Destination port: http (80)
>      Source or Destination Port: 5148
>      Source or Destination Port: 80
>      TCP Segment Len: 0
>      Sequence number: 1238160347
>      Header length: 44 bytes
>      Flags: 0x0002 (SYN)
>           0... .... = Congestion Window Reduced (CWR): Not set
>           .0.. .... = ECN-Echo: Not set
>           ..0. .... = Urgent: Not set
>           ...0 .... = Acknowledgment: Not set
>           .... 0... = Push: Not set
>           .... .0.. = Reset: Not set
>           .... ..1. = Syn: Set
>           .... ...0 = Fin: Not set
>      Window size: 16384
>      Checksum: 0xfc31 (correct)
>      Options: (24 bytes)
>           TCP MSS Option: True
>           Maximum segment size: 1452 bytes
>           NOP
>           TCP Window Scale Option: True
>           Window scale: 0 (multiply by 1)
>           NOP
>           NOP
>           TCP Time Stamp Option: True
>           Time stamp: tsval 0, tsecr 0
>           NOP
>           NOP
>           SACK permitted
> 
> 0000:  00 90 1A 40 1D 23 00 08 C7 07 A8 A4 88 64 11 00  ....@.#.......d..
> 0010:  1A 93 00 42 00 21 45 00 00 40 27 18 40 00 7F 06  ....B.!E..@'.@...
> 0020:  0C DD D9 EE CB FB C1 9B 60 3D 14 1C 00 50 49 CC  .........`=...PI.
> 0030:  D3 DB 00 00 00 00 B0 02 40 00 FC 31 00 00 02 04  .........@..1....
> 0040:  05 AC 01 03 03 00 01 01 08 0A 00 00 00 00 00 00  .................
> 0050:  00 00 01 01 04 02                                ......          
> --
> 
> Received:
> --
> Packetyzer Trace:
> 
> Internet Protocol, Src Addr: 193.155.96.61 (193.155.96.61), Dst Addr: 217.238.203.251
(217.238.203.251)
>      Version: 4
>      Header length: 20 bytes
>      Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
>           0000 00.. = Differentiated Services Codepoint: Default (0x00)
>           .... ..0. = ECN-Capable Transport (ECT): 0
>           .... ...0 = ECN-CE: 0
>      Total Length: 64
>      Identification: 0x2718 (10008)
>      Flags: 0x04 (Don't Fragment)
>           0... = Reserved bit: Not set
>           .1.. = Don't fragment: Set
>           ..0. = More fragments: Not set
>      Fragment offset: 0
>      Time to live: 105
>      Protocol: TCP (0x06)
>      Header checksum: 0x22dd (correct)
>      Source: 193.155.96.61 (193.155.96.61)
>      Source or Destination Address: 193.155.96.61 (193.155.96.61)
>      Destination: 217.238.203.251 (217.238.203.251)
>      Source or Destination Address: 217.238.203.251 (217.238.203.251)
> Transmission Control Protocol, Src Port: http (80), Dst Port: 5148 (5148), Seq: 3055806948, Ack:
1239160347, Len: 24
>      Source port: http (80)
>      Destination port: 5148 (5148)
>      Source or Destination Port: 80
>      Source or Destination Port: 5148
>      TCP Segment Len: 24
>      Sequence number: 3055806948
>      Next sequence number: 3055806972
>      Acknowledgement number: 1239160347
>      Header length: 20 bytes
>      Flags: 0x0010 (ACK)
>           0... .... = Congestion Window Reduced (CWR): Not set
>           .0.. .... = ECN-Echo: Not set
>           ..0. .... = Urgent: Not set
>           ...1 .... = Acknowledgment: Set
>           .... 0... = Push: Not set
>           .... .0.. = Reset: Not set
>           .... ..0. = Syn: Not set
>           .... ...0 = Fin: Not set
>      Window size: 16384
>      Checksum: 0x79cc (correct)
> Hypertext Transfer Protocol
>      Data (24 bytes)
> 
> 0000:  00 08 C7 07 A8 A4 00 90 1A 40 1D 23 88 64 11 00  ..........@.#.d..
> 0010:  1A 93 00 42 00 21 45 00 00 40 27 18 40 00 69 06  ....B.!E..@'.@.i.
> 0020:  22 DD C1 9B 60 3D D9 EE CB FB 00 50 14 1C B6 23  "...`=.....P...#
> 0030:  E9 E4 49 DC 16 1B 50 10 40 00 79 CC 00 00 02 04  ...I...P.@.y.....
> 0040:  05 AC 01 03 03 00 01 01 08 0A 00 00 00 00 00 00  .................
> 0050:  00 00 01 01 04 02                                ......          
> --
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch


---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch