Argh - It might help if I explain more. I have an OpenBSD 3.8 system
running as a transparent packet filter (TPF).
The OS X system is inside ($lanif). Apple's network - CIDR 17/8 is
outside ($wanif). A Cisco PIX is doing NAT. IP's on the $wanif side
that are inside the PIX are considered as DMZ. IP's on the $lanif side
are considered LAN.
WAN---PIX/NAT---DMZ---TPF---LAN---OS X
Whenever I put a scrub rule with reassemble tcp on $wanif and/or $lanif
I have trouble with some sites. (e.g. Apple's Software Update).
setting debug to loud I get the messages I mention below.
-Dan
Daniel E. Hassler wrote:
More info - I ran a test scenario.
Here is a sample of the messages I get via syslog with set debug loud
and scrub with reassemble tcp trying to run OS X's Software Update.
Jul 19 19:42:37 obsd38 /bsd: pf_normalize_tcp_stateful: Did not
receive expected RFC1323 timestamp
Jul 19 19:42:37 obsd38 /bsd: TCP 192.168.1.14:65108 192.168.1.14:65108
17.250.248.95:80 [lo=4276925920 high=4276942304 win=65535 modulator=0
wscale=0] [lo=708430922 high=708496457 win=16384 modulator=0 wscale=0]
9:4 A
-Dan
Daniel E. Hassler wrote:
Hi Walter,
I've seen this behavior also. When I 'set debug loud' I got more
information recorded via syslog.
Some stuff about RFC1323 and bad-timestamp errors.
Below is a section of a pf.conf file. It would be interesting to know
if you get similar results with
set debug loud when trying to access problem sites.
# NORMALIZATION: reduce/resolve ambiguities.
#
scrub on $admif all random-id reassemble tcp
#scrub on $lanif all random-id reassemble tcp
#scrub on $wanif all random-id reassemble tcp
#
# Problem using reassemble tcp on $lanif and/or $wanif
# Mac OS X software update fails.
# bad-timestamp counter increments, RFC1323 errors in syslog with
debug loud
# All else works fine including other http on OS X. TBD: investigate
further.
#
scrub on $lanif all random-id fragment reassemble
scrub on $wanif all random-id fragment reassemble
-Dan
Walter Haidinger wrote:
Hi!
I'm running OpenBSD 3.9 GENERIC as a NAT router.
If I add the reassemble tcp option to my scrub rule in pf.conf,
I have trouble connecting to some sites, particulary ebay (ebay.de,
ebay.at and ebay.com as well as e.g. kaufen.ebay.de) and
some other few sites, from a machine behind the NAT router.
Connects time out or have long delays if the site responds at all.
If connecting directly from OpenBSD, using lynx or squid running on
the router, there is no problem.
If I omit reassemble tcp everything works fine, i.e. with:
scrub all no-df fragment reassemble random-id
I've never noticed the problem before because I was running the
squid proxy on the router. Now I've moved it to a different machine
which is NATted too. Please note that it is not a squid issue
as timeouts occur regardless of proxy use if on a NATted machine.
Unfortunately I cannot determine why only some sites have troubles
and that's why I seeking advice here on howto further diagnose
the problem.
Any hints are appreciated!
Regards, Walter
--
_ _ _
__| | __ _ _ __ | |__ __ _ ___ ___| | ___ _ __
/ _` |/ _` | '_ \ | '_ \ / _` / __/ __| |/ _ \ '__|
| (_| | (_| | | | | | | | | (_| \__ \__ \ | __/ |
\__,_|\__,_|_| |_| |_| |_|\__,_|___/___/_|\___|_|
[EMAIL PROTECTED]
