More info - I ran a test scenario.
Here is a sample of the messages I get via syslog with set debug loud
and scrub with reassemble tcp trying to run OS X's "Software Update".
Jul 19 19:42:37 obsd38 /bsd: pf_normalize_tcp_stateful: Did not receive
expected RFC1323 timestamp
Jul 19 19:42:37 obsd38 /bsd: TCP 192.168.1.14:65108 192.168.1.14:65108
17.250.248.95:80 [lo=4276925920 high=4276942304 win=65535 modulator=0
wscale=0] [lo=708430922 high=708496457 win=16384 modulator=0 wscale=0] 9:4 A
-Dan
Daniel E. Hassler wrote:
Hi Walter,
I've seen this behavior also. When I 'set debug loud' I got more
information recorded via syslog.
Some stuff about RFC1323 and bad-timestamp errors.
Below is a section of a pf.conf file. It would be interesting to know
if you get similar results with
set debug loud when trying to access problem sites.
################################################################################
# NORMALIZATION: reduce/resolve ambiguities.
#
scrub on $admif all random-id reassemble tcp
#scrub on $lanif all random-id reassemble tcp
#scrub on $wanif all random-id reassemble tcp
#
# Problem using "reassemble tcp" on $lanif and/or $wanif
# Mac OS X "software update" fails.
# bad-timestamp counter increments, RFC1323 errors in syslog with
debug loud
# All else works fine including other http on OS X. TBD: investigate
further.
#
scrub on $lanif all random-id fragment reassemble
scrub on $wanif all random-id fragment reassemble
-Dan
Walter Haidinger wrote:
Hi!
I'm running OpenBSD 3.9 GENERIC as a NAT router.
If I add the "reassemble tcp" option to my scrub rule in pf.conf,
I have trouble connecting to some sites, particulary ebay (ebay.de,
ebay.at and ebay.com as well as e.g. kaufen.ebay.de) and
some other few sites, from a machine behind the NAT router.
Connects time out or have long delays if the site responds at all.
If connecting directly from OpenBSD, using lynx or squid running on
the router, there is no problem.
If I omit "reassemble tcp" everything works fine, i.e. with:
scrub all no-df fragment reassemble random-id
I've never noticed the problem before because I was running the squid
proxy on the router. Now I've moved it to a different machine
which is NATted too. Please note that it is not a squid issue
as timeouts occur regardless of proxy use if on a NATted machine.
Unfortunately I cannot determine why only some sites have troubles
and that's why I seeking advice here on howto further diagnose
the problem.
Any hints are appreciated!
Regards, Walter
--
_ _ _
__| | __ _ _ __ | |__ __ _ ___ ___| | ___ _ __
/ _` |/ _` | '_ \ | '_ \ / _` / __/ __| |/ _ \ '__|
| (_| | (_| | | | | | | | | (_| \__ \__ \ | __/ |
\__,_|\__,_|_| |_| |_| |_|\__,_|___/___/_|\___|_|
[EMAIL PROTECTED]
