On Thu, Nov 10, 2011 at 11:53 PM, Tobias Crefeld <t...@cataneo.eu> wrote: > Running a pair of OpenBSD-4.8-boxes as NAT-Firewall between public > Internet and some Linux-webservers in a DMZ basically works fine so far. > > But this week a client enabled RFC-1323 and his http/https-access to our > webservers didn't work any more and all he got was an > ICMP-unreachable with un-NATed source-address. As a workaround he > provisionally disabled this option. > > There is of course the other workaround to switch off > tcp-windowsscaling, etc. on every box but I hope to find a > configuration that it works through the NAT-box. > > I read some papers on OpenBSD's website but I'm still a bit confused > about all those scrub- and state-control-rules (with and without > renumbering), so it seems to be the right time for another testbed. > > Problem: How can I simulate an http/https-access with enabled > RFC-1323-options?
The issue of TCP window scaling for pf is well explained in the section "Create TCP states on the initial SYN packet" http://undeadly.org/cgi?action=article&sid=20060928081238 >From my OpenBSD desktop using firefox : $ sudo pfctl -vvss all tcp 192.168.222.20:13929 -> 74.125.79.19:443 ESTABLISHED:ESTABLISHED [2051800193 + 46464] wscale 0 [2773829936 + 16384] wscale 6 all tcp 192.168.222.20:28008 -> 80.255.11.121:80 FIN_WAIT_2:FIN_WAIT_2 [2631730358 + 7808] wscale 0 [3474674542 + 16384] wscale 7 Adriaan