I'm running a late-October post-4.6 snapshot on a new Soekris firewall,
and noticed something peculiar after setting up the rules per the new
pf.conf(5) man page. I had a few lesser-known websites just hang and
eventually time out (the "majors" still work fine), but thought little
of it until I went to the ISA web site (www.isa.org) to renew my
membership there and noticed the same effect.
I changed the following rule:
match in all scrub (reassemble tcp no-df random-id)
to
match in all scrub (no-df random-id)
and then www.isa.org came up as normal. (This latter match incantation
may be useless, or otherwise not make sense; I just removed "reassemble
tcp" as an experiment.)
This of course could just be coincidence, Internet problems, etc. so I
just wanted to ask if anyone else was experiencing this. I suspect the
answer will be that this should work fine, is the way things should be,
and these web sites are errant somehow, and that's OK, but I wanted to
make sure.
Thanks,
Corey