Damon McMahon wrote:
Hello Jake,
On 08/04/2008, at 11:07 AM, Jacob Yocom-Piatt wrote:
have spent a fair deal of time working with pf and have just seen
what appears to be quite a bizarre problem:
topology is (internet)--pppoe--(openbsd fw - running
4.2-release)--switch--(wired/wifi router).
a winxp host connected to the wifi router has no problem viewing
webpages, etc, however, a macosx host connected to the wifi router
gets packets randomly (AFAICT) dropped by the openbsd fw. google
seems to load fine on the macosx machine but other sites will not
load with any regularity. the packet dropping has been observed on
the firewall using 'tcpdump -nettvi pflog0' and packets were being
blocked on the internal internal interface, either em2 or vlan2,
until the pf rule 'pass on $int_if' was changed to 'pass on $int_if
no state'. then packets started getting blocked on the external
interface, despite a rule 'pass out on $ext_if' as a catch-all at the
end of the ruleset. the rule that shows as being the blocker is
'block log all', the first rule in the set.
so in essence, i see rules that are not being obeyed in the pf
ruleset, but only for the macosx host and not the winxp one. the
macosx firewall is turned off and i can ssh from the macosx host to
the openbsd fw just fine. i can also ping fine from the macosx host,
so dns and routing are working.
clues as to wtf is going on would be appreciated. can supply more
detailed info on request.
cheers,
jake
I saw something sounding similar with a MacOX X 10.3 (Panther) host
having packet fragmentation issues. In an effort to troubleshoot the
issue I altered the MTU on the Panther host to 1492 appeared to
resolve the issue. Upgrading that mac to 10.4 (Tiger) reset the MTU to
1500 without the issue reoccuring.
I don't know if that helps, if not you might try posting your pf.conf
and a tcpdump packet capture.
damon,
this was exactly the issue, except it was osx 10.4.11. setting the mtu
to 1492 on the wireless interface did the trick. for whatever reason
this osx machine in this particular configuration was not working. the
same machine works at home with the same pf ruleset and network topology.
i have been informed that the proper fix for this is encapsulated in the
MTU section of man 4 pppoe. apparently i have been running without a
"proper" mtu setting in my pf.conf and it just so happened to have
worked this whole time. it is odd that the only machine and network
configuration i've ever seen this with is with this osx machine over
wireless at this site. have run for years with this setting off and no
probs....
cheers,
jake
Best wishes,
Damon
