The last weeks I hve not been able to access the Internet with my linux-pc's on the countys network. At the gateway there is a web filter. IWSVA - InterScan Web Security Virtual Appliance from TrendMicro. Behind the GW there is a MS Firewall-1 (r75). Directly behind this firewall I can access the internet in a normal way, and everything seems to work ok.

At the municipality town hall there is second MS Firewall-1 r75, and behind this one no PC's running Linux is able to access internet. Mac and Windows have no problems.

There is no use of proxy in the network.

With my Linux PC I can open HTTPS pages (also tested with wget)
HTTP pages are getting time out (the same when I use wget)
SSH and SCP is possible to remote hosts
FTP is not possible from Linux
I can ping, trace, tcptraceroute the entire network.
Mail is working normal

I do not believe that this MS Gold partner is doing this intentionally, but the result is that no PC running Linux can access the internet at the countys schools, libraries, public areas with wifi, sports halls, town halls, and so on...

Try starting httpd on a Linux box behind the gateway and test the connection to it from a Linux box at the town hall

i.e

[linux_a]---[MSFW@town_hall]---------[linux_b_with_httpd]-------[MSFW@gateway]---[trend_appliance]---[internet]

If the connection fails at least you can run tcpdump to see if the traffic is actually being blocked.

I vaguely remember years ago there used to be a MS Proxy client, not sure if it still exists but it may be worth checking that there's nothing similar installed on the Windows pc's.

Have you tried changing your browser user agent? Clearly that won't work for FTP or wget, but maybe it'll at least let you browse the net.

Yes, I have tried to change the user agent. No luck

I can access all webpages that run on servers on the inside of the GW and IWSVA

Do you have access to logs on the gateway or IWSVA ?

Unless you're the administrator of that network, there's not much you can do, aside from putting in a request to get things diagnosed/changed. The user-agent switcher is the only thing you could try, and it's not working, so there must be some other sort of identification/authentication being used that's on the Windows boxes, and not on the Linux side.

There MAY be ways around things, but per LQ rules, circumventing data security policies/protocols isn't something that's done here. I realize you may be asking for totally legitimate reasons, but we've got now way of KNOWING that for sure.

Especially, have you tried the "Mask" option in Opera?

Which browsers, & what -- exactly, please -- did you change it to? Did you lift a user agent string right out of IE, including claiming to be "Winders"?

No, I dont have access to the logs from IWSVA

I have used Wireshark to compare the dump form the inside and the outside. When I'm on the inside, I see the 3 first packets of the session.

1. DNS query
2. DNS respons
3. HTTP [SYN]
...but no HTTP [SYN, ACK]


It is no problem to get around this when I can use SSH, but this is not the way to do it...

This seems interesting, but I didn't understand all of it. Could you try to explain a bit more?


I have talked to the ISP, and I believe them when they tell me that they do not understand why this is happening. They are trying to solve the problem, but I dont think they know where to look...

I have found a tiny difference in the third packet of the http-session.

Transmission...
Source port: 39407 (39407)
Destination port: http (80)
[Stream index: 2]

Transmission...
Source port: 53167 (53167)
Destination port: http (80)
[Stream index: 1]

The one with [Stream index: 1] completes the whole HTTP-session.
The SATNET stream ientifier option provides a way for the 16-bit SATNET stream identifier to be carried through networks that do not support the stream concept. The stream id is regarded as an obsolete part of tcp.

Anyone who knows anything about this?

I don't know if your choice of words is confusing anyone else, do really mean "packet" not "package"? If so, you can edit your last post to fix the confusion.