On Tue, Jul 11, 2006 at 02:57:03PM +0200, Daniel Hartmeier wrote:
> On Tue, Jul 11, 2006 at 02:04:33PM +0200, Joerg Roedel wrote:
> 
> > So it must be a problem in the filter code.
> 
> ... or the ruleset :)

Ok, your were right. Thanks for your usefull tips :)
I added a "keep state" to the "pass in on $int_if" rule and the problem
disappears. But there is still an open questions to me.

Why did it work at all with the Linux Kernel 2.6.16. I think
such a mistake in the ruleset should make all TCP connections stop
working (but it stops working only with a few sites, maybe depending on
the TCP scale factor they offer).
With the Linux Kernel 2.6.17.1 (which offers 3 for the window scaling,
2.6.16 offered 2, as I examined the only difference) TCP stops working
with all sites (in detail: the handshake succeeds, data is sent to the
peer, but the answer packets are dropped by the firewall).

Greets, Joerg