[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Public web server behind a PF bridge, crap clients



I'm curious if anyone can provide some experience on something I have
observed...
We have a OpenBSD 3.1 firewall protecting a public web site.  We are using
good hardware (Intel ISP1100 1u server / Intel Pro Ethernet adapters) by all
accounts, etc.  At times, the only way we have been able to get a particular
user in is to make a special "pass all on port 80" rule for their IP.
My question:  How well does stateful inspection work with crappy clients?
Windows 95 users?  Windows for Workgroups 3.11 TCP/IP stack?  Macintosh 8.x
tcp/ip stacks, etc?  Are there cases where using stateful inspection, and
not using "allow all port 80" is preventing _users on "broken old systems"_
from accessing a public site?
On one had, you want your users to reach your site - but you also want to be
secure (prevent spoofing, etc).  I wondered if people knew examples of some
broken client configurations that are known to cause problems.
Thank you.
  Stephen Gutknecht