I'm going to revisit this topic... as a comment from eWeek's OpenHack 4 caught my attention. On the following page, in the left column...
http://www.eweek.com/image_popup/0,3662,s=25546&iid=18512,00.asp Regarding OpenBSD 3.2 PF: *** We did notice a few problems where pf rules we wrote using the firewall's "keep state" option would incorrectly block packets returned as a result of an incoming connection *** That is a pretty good description of what I thought we observed that prompted me to start this thread. In our case, we suspected the problem seemed to favor some users over others. So I had assumed it was the browser / TCPIP stack thee web browser was using? Maybe the common thread is: Windows 2000 IIS behind the firewall. When we used "keep state" on our out rules, we would see port 80 packets originating from our IIS server were sometimes showing in the log as dropped. But we could not figure out why some people have this happen and not others. At the time we were busy and had to resort to "pass out all on port 80" style rules to get around the problem. At this point I'm still at the discussion stage. We are in the process of updating our PF bridge firewalls from 3.1-STABLE to 3.2-STABLE right now, so I don't have logs to show of this. But I am interested if anyone else can confirm this type of problem so we can help focus where to look. We are using Intel ISP1100 servers for our PF firewalls, using the onboard fxp adapters for the bridge. These seem to be on the "good stuff" in terms of recommended OpenBSD hardware. After we get the firewall on 3.2-stable, I will revert back to using "keep state" or "modulate state" instead of our pass out all and see what we find. Again, anyone else in same boat? Thanks. Stephen Gutknecht -----Original Message----- From: Stephen Gutknecht (OBSD-PF) [mailto:[EMAIL PROTECTED]] Sent: Saturday, November 23, 2002 3:02 AM To: [EMAIL PROTECTED] Subject: Public web server behind a PF bridge, crap clients [snip] We have a OpenBSD 3.1 firewall protecting a public web site. We are using good hardware (Intel ISP1100 1u server / Intel Pro Ethernet adapters) by all accounts, etc. At times, the only way we have been able to get a particular user in is to make a special "pass all on port 80" rule for their IP. My question: How well does stateful inspection work with crappy clients? Windows 95 users? Windows for Workgroups 3.11 TCP/IP stack? Macintosh 8.x tcp/ip stacks, etc? Are there cases where using stateful inspection, and not using "allow all port 80" is preventing _users on "broken old systems"_ from accessing a public site? On one had, you want your users to reach your site - but you also want to be secure (prevent spoofing, etc). I wondered if people knew examples of some broken client configurations that are known to cause problems.
