[ previous ] [ next ] [ threads ]
 
 From:  "Frank Peschel" <frank dot peschel at nexgo dot de>
 To:  "'M0n0wall Mailinglist'" <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Incompatibility with Symantec's Velociraptor firewall ?
 Date:  Tue, 19 Oct 2004 17:20:55 +0200 
Dear all,

using M0n0wall Version 1.2b1 I encounter problems connecting to e.g. http://www.bios-online.de/ .

Sylog shows messages of the form:
[DateTime] ipmon[69]: [Time] ng0 @0:31 b [WebServerIP],80 -> [InternalHostIP],[DynPort] PR tcp len
20 48 -A IN

Windows Terminal sessions ARE possible: rdp://www.bios-online.de

I've done a packet capture (see below). Seems all SYN's to port 80 are answered with ACK's instead
of SYN/ACK's
Not using M0n0wall (Direct Dial-up / whatever) everything works fine and SYN's are answered
correctly by these servers. I believe
the webserver ist behind a Symantec Velociraptor appliance.

M0n0wall acts correct when blocking the ACK packets because it works stateful and at this time the
TCP three-way-handshake is not
complete. But what causes the other side to send ACK, not SYN/ACK !?


Kind regards,
- Frank



I've cut off Ethernet/PPPoE/PPP Headers. If anyone needs 'em, ask.
Packets where sent/received by www.pixelconcept.de, another host concerned.
Sent:
--
Internet Protocol, Src Addr: 217.238.203.251 (217.238.203.251), Dst Addr: 193.155.96.61
(193.155.96.61)
     Version: 4
     Header length: 20 bytes
     Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
          0000 00.. = Differentiated Services Codepoint: Default (0x00)
          .... ..0. = ECN-Capable Transport (ECT): 0
          .... ...0 = ECN-CE: 0
     Total Length: 64
     Identification: 0x2718 (10008)
     Flags: 0x04 (Don't Fragment)
          0... = Reserved bit: Not set
          .1.. = Don't fragment: Set
          ..0. = More fragments: Not set
     Fragment offset: 0
     Time to live: 127
     Protocol: TCP (0x06)
     Header checksum: 0x0cdd (correct)
     Source: 217.238.203.251 (217.238.203.251)
     Source or Destination Address: 217.238.203.251 (217.238.203.251)
     Destination: 193.155.96.61 (193.155.96.61)
     Source or Destination Address: 193.155.96.61 (193.155.96.61)
Transmission Control Protocol, Src Port: 5148 (5148), Dst Port: http (80), Seq: 1238160347, Ack: 0,
Len: 0
     Source port: 5148 (5148)
     Destination port: http (80)
     Source or Destination Port: 5148
     Source or Destination Port: 80
     TCP Segment Len: 0
     Sequence number: 1238160347
     Header length: 44 bytes
     Flags: 0x0002 (SYN)
          0... .... = Congestion Window Reduced (CWR): Not set
          .0.. .... = ECN-Echo: Not set
          ..0. .... = Urgent: Not set
          ...0 .... = Acknowledgment: Not set
          .... 0... = Push: Not set
          .... .0.. = Reset: Not set
          .... ..1. = Syn: Set
          .... ...0 = Fin: Not set
     Window size: 16384
     Checksum: 0xfc31 (correct)
     Options: (24 bytes)
          TCP MSS Option: True
          Maximum segment size: 1452 bytes
          NOP
          TCP Window Scale Option: True
          Window scale: 0 (multiply by 1)
          NOP
          NOP
          TCP Time Stamp Option: True
          Time stamp: tsval 0, tsecr 0
          NOP
          NOP
          SACK permitted

0000:  00 90 1A 40 1D 23 00 08 C7 07 A8 A4 88 64 11 00  ...@.#.......d..
0010:  1A 93 00 42 00 21 45 00 00 40 27 18 40 00 7F 06  ...B.!E..@'.@...
0020:  0C DD D9 EE CB FB C1 9B 60 3D 14 1C 00 50 49 CC  ........`=...PI.
0030:  D3 DB 00 00 00 00 B0 02 40 00 FC 31 00 00 02 04  ........@..1....
0040:  05 AC 01 03 03 00 01 01 08 0A 00 00 00 00 00 00  ................
0050:  00 00 01 01 04 02                                ......          
--

Received:
--
Packetyzer Trace:

Internet Protocol, Src Addr: 193.155.96.61 (193.155.96.61), Dst Addr: 217.238.203.251
(217.238.203.251)
     Version: 4
     Header length: 20 bytes
     Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
          0000 00.. = Differentiated Services Codepoint: Default (0x00)
          .... ..0. = ECN-Capable Transport (ECT): 0
          .... ...0 = ECN-CE: 0
     Total Length: 64
     Identification: 0x2718 (10008)
     Flags: 0x04 (Don't Fragment)
          0... = Reserved bit: Not set
          .1.. = Don't fragment: Set
          ..0. = More fragments: Not set
     Fragment offset: 0
     Time to live: 105
     Protocol: TCP (0x06)
     Header checksum: 0x22dd (correct)
     Source: 193.155.96.61 (193.155.96.61)
     Source or Destination Address: 193.155.96.61 (193.155.96.61)
     Destination: 217.238.203.251 (217.238.203.251)
     Source or Destination Address: 217.238.203.251 (217.238.203.251)
Transmission Control Protocol, Src Port: http (80), Dst Port: 5148 (5148), Seq: 3055806948, Ack:
1239160347, Len: 24
     Source port: http (80)
     Destination port: 5148 (5148)
     Source or Destination Port: 80
     Source or Destination Port: 5148
     TCP Segment Len: 24
     Sequence number: 3055806948
     Next sequence number: 3055806972
     Acknowledgement number: 1239160347
     Header length: 20 bytes
     Flags: 0x0010 (ACK)
          0... .... = Congestion Window Reduced (CWR): Not set
          .0.. .... = ECN-Echo: Not set
          ..0. .... = Urgent: Not set
          ...1 .... = Acknowledgment: Set
          .... 0... = Push: Not set
          .... .0.. = Reset: Not set
          .... ..0. = Syn: Not set
          .... ...0 = Fin: Not set
     Window size: 16384
     Checksum: 0x79cc (correct)
Hypertext Transfer Protocol
     Data (24 bytes)

0000:  00 08 C7 07 A8 A4 00 90 1A 40 1D 23 88 64 11 00  .........@.#.d..
0010:  1A 93 00 42 00 21 45 00 00 40 27 18 40 00 69 06  ...B.!E..@'.@.i.
0020:  22 DD C1 9B 60 3D D9 EE CB FB 00 50 14 1C B6 23  "...`=.....P...#
0030:  E9 E4 49 DC 16 1B 50 10 40 00 79 CC 00 00 02 04  ..I...P.@.y.....
0040:  05 AC 01 03 03 00 01 01 08 0A 00 00 00 00 00 00  ................
0050:  00 00 01 01 04 02                                ......          
--