scrubbing problem(s) with pf
I am having hard time with issue that some of the DSL (ATT) are having issues connecting to website behind my openbsd firewall. Now if I switched it back to cisco asa , access works flawlessly. Everyone including those on DSL(ATT) are able to access the website (with cisco) but as soon as I put my Openbsd firewall website access to SOME DSL (ATT) users stops working. I troubleshooted the problem to be related to scrubbing (normalization of packets). So I tried couple of options in scrubbing rules: and got couple of people experiencing the problem to work but there are few still complaining that they can't access the site. I have tried this from multiple different connections. Even with Verizon EVDO internet access , people can't access the site. Its reallly weired and I have been pulling my hair on this. I don't really want to put other firewall in. I would like to know what other people who are running openbsd as firewall are using for scrubbing. Here is what I used first time: scrub in all and then changed to scrub in all no-df scrub out all no-df and got few of DSL users to see the site but then others still can't. Verizon users can't either. Any thoughts/help highly appreciated. I dont' want to go BALD :) Thanks
Re: scrubbing problem(s) with pf
Did you read the pf suggestions via pppoe(4) ? ATT tends to use pppoe(4).. -- Todd Fries .. [EMAIL PROTECTED] _ | \ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | ..in support of free software solutions. \ 250797 (FWD) | \ \\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt Penned by Parvinder Bhasin on 20080909 9:59.02, we have: I am having hard time with issue that some of the DSL (ATT) are having issues connecting to website behind my openbsd firewall. Now if I switched it back to cisco asa , access works flawlessly. Everyone including those on DSL(ATT) are able to access the website (with cisco) but as soon as I put my Openbsd firewall website access to SOME DSL (ATT) users stops working. I troubleshooted the problem to be related to scrubbing (normalization of packets). So I tried couple of options in scrubbing rules: and got couple of people experiencing the problem to work but there are few still complaining that they can't access the site. I have tried this from multiple different connections. Even with Verizon EVDO internet access , people can't access the site. Its reallly weired and I have been pulling my hair on this. I don't really want to put other firewall in. I would like to know what other people who are running openbsd as firewall are using for scrubbing. Here is what I used first time: scrub in all and then changed to scrub in all no-df scrub out all no-df and got few of DSL users to see the site but then others still can't. Verizon users can't either. Any thoughts/help highly appreciated. I dont' want to go BALD :) Thanks
Re: scrubbing problem(s) with pf
On September 9, 2008 11:59:02 am Parvinder Bhasin wrote: I am having hard time with issue that some of the DSL (ATT) are having issues connecting to website behind my openbsd firewall. Now if I switched it back to cisco asa , access works flawlessly. Everyone including those on DSL(ATT) are able to access the website (with cisco) but as soon as I put my Openbsd firewall website access to SOME DSL (ATT) users stops working. I troubleshooted the problem to be related to scrubbing (normalization of packets). So I tried couple of options in scrubbing rules: and got couple of people experiencing the problem to work but there are few still complaining that they can't access the site. I have tried this from multiple different connections. Even with Verizon EVDO internet access , people can't access the site. Its reallly weired and I have been pulling my hair on this. I don't really want to put other firewall in. I would like to know what other people who are running openbsd as firewall are using for scrubbing. Here is what I used first time: scrub in all and then changed to scrub in all no-df scrub out all no-df and got few of DSL users to see the site but then others still can't. Verizon users can't either. Any thoughts/help highly appreciated. I dont' want to go BALD :) Thanks scrub in scrub out on $ext_if max-mss 1440 has worked very well for me with my ISP. I am very interested in hearing about other ways of dealing with DSL connectivity. -- Vijay Sankar, M.Eng., P.Eng. ForeTell Technologies Limited 59 Flamingo Avenue, Winnipeg, MB Canada R3J 0X6 Phone: +1 204 885 9535, E-Mail: [EMAIL PROTECTED]
Re: scrubbing problem(s) with pf
Todd, Yes I have. The problem is we cannot change anything on the client end we can only fix it on our end. We have tried with cisco fw and the access works with those same people having issues but as soon as we put openbsd pf people begin to complain. These are just few users that we are testing there may be other users who cannot reach the site either (which we don't know about). -Parvinder Bhasin On Sep 9, 2008, at 10:08 AM, Todd T. Fries wrote: Did you read the pf suggestions via pppoe(4) ? ATT tends to use pppoe(4).. -- Todd Fries .. [EMAIL PROTECTED] _ | \ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | ..in support of free software solutions. \ 250797 (FWD) | \ \\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt Penned by Parvinder Bhasin on 20080909 9:59.02, we have: I am having hard time with issue that some of the DSL (ATT) are having issues connecting to website behind my openbsd firewall. Now if I switched it back to cisco asa , access works flawlessly. Everyone including those on DSL(ATT) are able to access the website (with cisco) but as soon as I put my Openbsd firewall website access to SOME DSL (ATT) users stops working. I troubleshooted the problem to be related to scrubbing (normalization of packets). So I tried couple of options in scrubbing rules: and got couple of people experiencing the problem to work but there are few still complaining that they can't access the site. I have tried this from multiple different connections. Even with Verizon EVDO internet access , people can't access the site. Its reallly weired and I have been pulling my hair on this. I don't really want to put other firewall in. I would like to know what other people who are running openbsd as firewall are using for scrubbing. Here is what I used first time: scrub in all and then changed to scrub in all no-df scrub out all no-df and got few of DSL users to see the site but then others still can't. Verizon users can't either. Any thoughts/help highly appreciated. I dont' want to go BALD :) Thanks
Re: scrubbing problem(s) with pf
On Tue, Sep 09, 2008 at 12:11:04PM -0500, Vijay Sankar wrote: | scrub in | scrub out on $ext_if max-mss 1440 | | has worked very well for me with my ISP. I am very interested in hearing about | other ways of dealing with DSL connectivity. scrub on $ext_if reassemble tcp scrub in on $ext_if all min-ttl 10 scrub out on $ext_if all no-df random-id ^^^ works great with Speakeasy DSL.
