Re: pf: reassemble tcp

[Henning Brauer]

* Sonic sonicsm...@gmail.com [2014-09-05 17:12]:
 On Fri, Sep 5, 2014 at 4:42 AM, Kapetanakis Giannis
 bil...@edu.physics.uoc.gr wrote:
  yeah, don't use reassemble tcp. it's not perfect.
 Isn't that default behavior?

hell, no.

-- 
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services GmbH, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS. Virtual  Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/

Re: pf: reassemble tcp

[Henning Brauer]

* Kapetanakis Giannis bil...@edu.physics.uoc.gr [2014-09-06 00:50]:
 I'm asking about reassemble tcp.
 
 According to some 2010's threads in misc@ it used to cause problems to some
 users.
 I'm wondering what's the status now.

unchanged.

-- 
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services GmbH, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS. Virtual  Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/

Re: pf: reassemble tcp

[Kapetanakis Giannis]

On 13/09/14 11:55, Henning Brauer wrote:

* Kapetanakis Giannis bil...@edu.physics.uoc.gr [2014-09-06 00:50]:

I'm asking about reassemble tcp.

According to some 2010's threads in misc@ it used to cause problems to some
users.
I'm wondering what's the status now.

unchanged.



Thanks for the reply

G

Re: pf: reassemble tcp

[Kapetanakis Giannis]

I've found the following in the archives. Is the situation still the 
same with

reassemble tcp?

My only scrub rule (in firewall/router) is
match in all scrub (no-df random-id reassemble tcp max-mss 1440)

Should I be worried?

Thanks

G

List:   openbsd-misc
Subject:Re: pf: reassemble tcp
From:   Henning Brauer lists-openbsd () bsws ! de
Date:   2010-01-14 1:46:17
Message-ID: 20100114014617.GH3135 () nudo ! bsws ! de
[Download message RAW]

* nixlists nixmli...@gmail.com [2010-01-13 22:56]:

Hi.

I have

  match in all scrub (tcp reassemble no-df random-id max-mss 1440)

in my pf.conf (-current)

Unless I remove 'tcp reassemble', one of the web sites (it's a
Windows/IIS) site cannot communicate with me - it hangs loading a
page.

Any ideas?


yeah, don't use reassemble tcp. it's not perfect.

--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting

Re: pf: reassemble tcp

[Sonic]

On Fri, Sep 5, 2014 at 4:42 AM, Kapetanakis Giannis
bil...@edu.physics.uoc.gr wrote:
 yeah, don't use reassemble tcp. it's not perfect.

Isn't that default behavior?

Is it recommended to disable this feature?

Re: pf: reassemble tcp

[Kapetanakis Giannis]

On 05/09/14 18:10, Sonic wrote:

On Fri, Sep 5, 2014 at 4:42 AM, Kapetanakis Giannis
bil...@edu.physics.uoc.gr wrote:

yeah, don't use reassemble tcp. it's not perfect.

Isn't that default behavior?

Is it recommended to disable this feature?


I'm not asking about set reassemble for fragmented packets (which in 
on by default),

I'm asking about reassemble tcp.

According to some 2010's threads in misc@ it used to cause problems to 
some users.

I'm wondering what's the status now.

regards,

G

another reassemble tcp problem - details for PF developers

[Alastair Johnson]

There has been 2 recent threads mentioning problems with reassemble tcp:

pf: reassemble tcp

problems with emails through pf



For info here is another. We solved the problem by removing this scrub.



We went from 4.3 with

scrub in all



to the latest 4.6 stable with

match in all scrub (reassemble tcp)



and bizarrely found we sometimes (~50%) couldnt FTP to several sites. It
would hang just before sending any data. This would happen about 50% of the
time and work fine the rest. It may be an irrelevant coincidence but each
FTP site that this happened with was Microsoft FTP. It never happened (ie
FTP always worked fine) with other server types. The OpenBSD firewall is
running ftp-proxy. The internal client is a linux desktop. Removing the
reassemble tcp scrub made the problem go away and a successful
connection/download every time.



We took tcpdumps on both the internal and external interfaces of the OpenBSD
firewall/ftp-proxy.



Looking at our capture on firewall internal interface, the payload of the
first TCP packet after the handshake seems to be ignored.  I see:



  Frames 26, 28, 29:  TCP handshake

  33:  first data from server

  34:  client then immediately sends ACK to server with seq=1

  35:  last of the data from server

  36:  server attempting to close connection

  37, 38:  Client sends two ACKs in quick succession, presumably responses
to 35, 36; sequence number is still 1

  ... server retransmits, client sends same ACKs, etc. until server gets
frustrated and sends a RST



It looks like the MS FTP server is being well-behaved, but each time some
data is received, the internal linux desktop immediately replies with an ACK
denying that any data was received.  This suggests that it's aware that it's
received some packets, but is rejecting the contents for some reason. Not
sure.



Looking at the capture on firewall external interface, is pretty much the
same, except that the second data packet (corresponding to #35) is
completely missing.  This might be a red herring.



Like I said I supply this info just for curiosity. We have it working now by
removing reassemble tcp - maybe its helpful to the PF developers, maybe not.
Below is the screen output from the internal linux desktop using lftp.



Many thanks,



Alastair Johnson















= NOT Working =

-bash-3.1$ lftp -c open -uA,B 198.80.165.171; debug; ls

 Connecting to 198.80.165.171 (198.80.165.171) port 21

--- 220 Microsoft FTP Service

--- FEAT

--- 530 Please login with USER and PASS.

--- AUTH TLS

--- 500 'AUTH TLS': command not understood

--- USER A

--- 331 Password required for A.

--- PASS B

--- 230-Welcome to Thomson Financial I/B/E/S FTP site.

--- This site is for authorized users only.

--- Any or all uses of this system and all files on

--- this system are monitored, recorded, and audited.

--- LOG OFF IMMEDIATELY if you do not agree to the

--- conditions stated in this warning.

--- 230 User A logged in.

--- FEAT

--- 211-FEAT

--- SIZE

--- MDTM

--- 211 END

--- PWD

--- 257 / is current directory.

--- PASV

--- 227 Entering Passive Mode (198,80,165,171,227,43)

 Connecting data socket to (198.80.165.171) port 58155

 Data connection established

--- LIST

--- 125 Data connection already open; Transfer starting.

--- 226 Transfer complete.

`ls' at 0 [Receiving data]

= Hang at this point ==







= Working =

snip



--- 230 User A logged in.

--- FEAT

--- 211-FEAT

--- SIZE

--- MDTM

--- 211 END

--- PWD

--- 257 / is current directory.

--- PASV

--- 227 Entering Passive Mode (198,80,165,171,198,136)

 Connecting data socket to (198.80.165.171) port 50824

 Data connection established

--- LIST

--- 125 Data connection already open; Transfer starting.

dr-xr-xr-x   1 ownergroup   0 Dec 22  2009 history

... and then more files/directories

another reassemble tcp problem - details for PF developers

[Alastair Johnson]

There has been 2 recent threads mentioning problems with reassemble tcp:
pf: reassemble tcp
problems with emails through pf

For info here is another. We solved the problem by removing this scrub.

We went from 4.3 with
scrub in all

to the latest 4.6 stable with
match in all scrub (reassemble tcp)

and bizarrely found we sometimes (~50%) couldnt FTP to several sites. 
It would hang just before sending any data. This would happen about 50% 
of the time and work fine the rest. It may be an irrelevant coincidence 
but each FTP site that this happened with was Microsoft FTP. It never 
happened (ie FTP always worked fine) with other server types. The 
OpenBSD firewall is running ftp-proxy. The internal client is a linux 
desktop. Removing the reassemble tcp scrub made the problem go away 
and a successful connection/download every time.


We took tcpdumps on both the internal and external interfaces of the 
OpenBSD firewall/ftp-proxy.


Looking at our capture on firewall internal interface, the payload of 
the first TCP packet after the handshake seems to be ignored. I see:


Frames 26, 28, 29: TCP handshake
33: first data from server
34: client then immediately sends ACK to server with seq=1
35: last of the data from server
36: server attempting to close connection
37, 38: Client sends two ACKs in quick succession, presumably responses 
to 35, 36; sequence number is still 1
... server retransmits, client sends same ACKs, etc. until server gets 
frustrated and sends a RST


It looks like the MS FTP server is being well-behaved, but each time 
some data is received, the internal linux desktop immediately replies 
with an ACK denying that any data was received. This suggests that it's 
aware that it's received some packets, but is rejecting the contents for 
some reason. Not sure.


Looking at the capture on firewall external interface, is pretty much 
the same, except that the second data packet (corresponding to #35) is 
completely missing. This might be a red herring.


Like I said I supply this info just for curiosity. We have it working 
now by removing reassemble tcp - maybe its helpful to the PF developers, 
maybe not. Below is the screen output from the internal linux desktop 
using lftp.


Many thanks,

Alastair Johnson







= NOT Working =
-bash-3.1$ lftp -c open -uA,B 198.80.165.171; debug; ls
 Connecting to 198.80.165.171 (198.80.165.171) port 21
--- 220 Microsoft FTP Service
--- FEAT
--- 530 Please login with USER and PASS.
--- AUTH TLS
--- 500 'AUTH TLS': command not understood
--- USER A
--- 331 Password required for A.
--- PASS B
--- 230-Welcome to Thomson Financial I/B/E/S FTP site.
--- This site is for authorized users only.
--- Any or all uses of this system and all files on
--- this system are monitored, recorded, and audited.
--- LOG OFF IMMEDIATELY if you do not agree to the
--- conditions stated in this warning.
--- 230 User A logged in.
--- FEAT
--- 211-FEAT
--- SIZE
--- MDTM
--- 211 END
--- PWD
--- 257 / is current directory.
--- PASV
--- 227 Entering Passive Mode (198,80,165,171,227,43)
 Connecting data socket to (198.80.165.171) port 58155
 Data connection established
--- LIST
--- 125 Data connection already open; Transfer starting.
--- 226 Transfer complete.
`ls' at 0 [Receiving data]
= Hang at this point ==



= Working =
snip

--- 230 User A logged in.
--- FEAT
--- 211-FEAT
--- SIZE
--- MDTM
--- 211 END
--- PWD
--- 257 / is current directory.
--- PASV
--- 227 Entering Passive Mode (198,80,165,171,198,136)
 Connecting data socket to (198.80.165.171) port 50824
 Data connection established
--- LIST
--- 125 Data connection already open; Transfer starting.
dr-xr-xr-x 1 owner group 0 Dec 22 2009 history
... and then more files/directories

Re: another reassemble tcp problem - details for PF developers

[Stuart Henderson]

On 2010-01-15, Alastair Johnson att...@googlemail.com wrote:
 We went from 4.3 with
 scrub in all
   
 to the latest 4.6 stable with
 match in all scrub (reassemble tcp)

'scrub in all' on 4.3 is the same as 'scrub in all fragment reassemble'   
which is now done by default.

If you had done 'scrub in all reassemble tcp' on 4.3 you would probably
see the problem there too.

 and bizarrely found we sometimes (~50%) couldn?t FTP to several sites.   

Do you have any examples of public sites affected? ftp.microsoft.com
doesn't do this for me via 'scrub (reassemble tcp)' in -current.

Re: another reassemble tcp problem - details for PF developers

[Alastair Johnson]

no - only ftp to ftp.ibes.com and ftp to www.chi-x.com which are not public.
it seems to have failed after login just before or just as data started to
flow.

the strange thing is that data download works about half the time with
reassemble tcp switched on and all the time with it off.

appologies if i sent to the list more than once.

could possibly provide a traffic capture but i'm not sure how to strip out
unencrypted login details.




2010/1/15 Stuart Henderson s...@spacehopper.org

 On 2010-01-15, Alastair Johnson att...@googlemail.com wrote:
  We went from 4.3 with
  scrub in all
 
  to the latest 4.6 stable with
  match in all scrub (reassemble tcp)

 'scrub in all' on 4.3 is the same as 'scrub in all fragment reassemble'
 which is now done by default.

 If you had done 'scrub in all reassemble tcp' on 4.3 you would probably
 see the problem there too.

  and bizarrely found we sometimes (~50%) couldn?t FTP to several sites.

 Do you have any examples of public sites affected? ftp.microsoft.com
 doesn't do this for me via 'scrub (reassemble tcp)' in -current.

Re: another reassemble tcp problem - details for PF developers

[Michal]

snip

It may be an irrelevant coincidence but each
FTP site that this happened with was Microsoft FTP. It never happened (ie
FTP always worked fine) with other server types.

snip



I don't know if this matters, but I had some problems recently with
people downloading from external FTP servers and we found it had
something to do with the FTP client and the use of either the client of
external server using passive mode. I can't remember the exact details
but it came down to a the ms-client/server working differently then
expected...this probably won't help anyone but it might

reassemble tcp

[Alessandro Baggi]

Hi there. I've a problem with pf on OpenBSD 4.6

After different test, I've been reduced my pf.conf to those rules:

macros
set block-policy drop
match all scrub (no-df, random-id, reassemble tcp, max-mss 1440)
nat on $ext from $int:network - $ext:0
block log all
pass in on $int from any to any
pass out on $ext from $ext:0 to any


pfctl get all rules without errors, but I've problem during connection.
If I try to get login with pidgin (MSN) from slackware Linux It doesn't 
work.

If I try to get login with pidgin proxied from slackware it works.
I've tried also to remove reassemble tcp from the scrub and it works
If I try to get login with MSN from windows (proxied, with reassemble 
tcp, and no proxy) It works.


In all Linux pidgin failed connection I receive this:


connection: Connection error on 0x8551180 (reason: 0 description: 
Connection error from Notification server: Reading error)


But the connection will be dropped? (I receive also a block log of ack 
for the pidgin connection)


Another problem with reassemble tcp is with windows boot. I receive from 
syslog those messages:


block in on rl0: 10.1.3.53.137  10.1.255.255.137: udp 50

If I remove reassemble tcp It works fine.
I've tried also with a pass all rules...but with the same result. It's 
possible that a scrub with reassemble tcp option, blocks some packet?

What is the reason for this?

It's a my misconfiguration or is a normal behaviuour?

Thanks in advance!

Re: reassemble tcp

[Ted Unangst]

On Fri, Jan 15, 2010 at 3:33 PM, Alessandro Baggi
alessandro.ba...@gmail.com wrote:
 If I remove reassemble tcp It works fine.
 I've tried also with a pass all rules...but with the same result. It's
 possible that a scrub with reassemble tcp option, blocks some packet?
 What is the reason for this?

http://marc.info/?l=openbsd-miscm=126344466917828w=2

Re: reassemble tcp

[Alessandro Baggi]

Ted Unangst wrote:

On Fri, Jan 15, 2010 at 3:33 PM, Alessandro Baggi
alessandro.ba...@gmail.com wrote:
  

If I remove reassemble tcp It works fine.
I've tried also with a pass all rules...but with the same result. It's
possible that a scrub with reassemble tcp option, blocks some packet?
What is the reason for this?



http://marc.info/?l=openbsd-miscm=126344466917828w=2

  

Hi ted, thanks for the reply.
but then what's the meaning of this options?

another reassemble tcp problem - details for PF developers

[Alastair Johnson]

There has been 2 recent threads mentioning problems with reassemble tcp:
pf: reassemble tcp
problems with emails through pf

For info here is another. We solved the problem by removing this scrub.

We went from 4.3 with
scrub in all

to the latest 4.6 stable with
match in all scrub (reassemble tcp)

and bizarrely found we sometimes (~50%) couldnt FTP to several sites.
It would hang just before sending any data. This would happen about
50% of the time and work fine the rest. It may be an irrelevant
coincidence but each FTP site that this happened with was Microsoft
FTP. It never happened (ie FTP always worked fine) with other server
types. The OpenBSD firewall is running ftp-proxy. The internal client
is a linux desktop. Removing the reassemble tcp scrub made the
problem go away and a successful connection/download every time.

We took tcpdumps on both the internal and external interfaces of the
OpenBSD firewall/ftp-proxy.

Looking at our capture on firewall internal interface, the payload of
the first TCP packet after the handshake seems to be ignored.  I see:

  Frames 26, 28, 29:  TCP handshake
  33:  first data from server
  34:  client then immediately sends ACK to server with seq=1
  35:  last of the data from server
  36:  server attempting to close connection
  37, 38:  Client sends two ACKs in quick succession, presumably
responses to 35, 36; sequence number is still 1
  ... server retransmits, client sends same ACKs, etc. until server
gets frustrated and sends a RST

It looks like the MS FTP server is being well-behaved, but each time
some data is received, the internal linux desktop immediately replies
with an ACK denying that any data was received.  This suggests that
it's aware that it's received some packets, but is rejecting the
contents for some reason. Not sure.

Looking at the capture on firewall external interface, is pretty much
the same, except that the second data packet (corresponding to #35) is
completely missing.  This might be a red herring.

Like I said I supply this info just for curiosity. We have it working
now by removing reassemble tcp - maybe its helpful to the PF
developers, maybe not. Below is the screen output from the internal
linux desktop using lftp.

Many thanks,

Alastair Johnson







= NOT Working =
-bash-3.1$ lftp -c open -uA,B 198.80.165.171; debug; ls
 Connecting to 198.80.165.171 (198.80.165.171) port 21
--- 220 Microsoft FTP Service
--- FEAT
--- 530 Please login with USER and PASS.
--- AUTH TLS
--- 500 'AUTH TLS': command not understood
--- USER A
--- 331 Password required for A.
--- PASS B
--- 230-Welcome to Thomson Financial I/B/E/S FTP site.
--- This site is for authorized users only.
--- Any or all uses of this system and all files on
--- this system are monitored, recorded, and audited.
--- LOG OFF IMMEDIATELY if you do not agree to the
--- conditions stated in this warning.
--- 230 User A logged in.
--- FEAT
--- 211-FEAT
--- SIZE
--- MDTM
--- 211 END
--- PWD
--- 257 / is current directory.
--- PASV
--- 227 Entering Passive Mode (198,80,165,171,227,43)
 Connecting data socket to (198.80.165.171) port 58155
 Data connection established
--- LIST
--- 125 Data connection already open; Transfer starting.
--- 226 Transfer complete.
`ls' at 0 [Receiving data]
= Hang at this point ==



= Working =
snip

--- 230 User A logged in.
--- FEAT
--- 211-FEAT
--- SIZE
--- MDTM
--- 211 END
--- PWD
--- 257 / is current directory.
--- PASV
--- 227 Entering Passive Mode (198,80,165,171,198,136)
 Connecting data socket to (198.80.165.171) port 50824
 Data connection established
--- LIST
--- 125 Data connection already open; Transfer starting.
dr-xr-xr-x   1 ownergroup   0 Dec 22  2009 history
... and then more files/directories

reassemble tcp problem - details for PF developers

[Alastair Johnson]

There has been 2 recent threads mentioning problems with reassemble tcp:
pf: reassemble tcp
problems with emails through pf

For info here is another. We solved the problem by removing this scrub.

We went from 4.3 with
scrub in all

to the latest 4.6 stable with
match in all scrub (reassemble tcp)

and bizarrely found we sometimes (~50%) couldnt FTP to several sites.
It would hang just before sending any data. This would happen about
50% of the time and work fine the rest. It may be an irrelevant
coincidence but each FTP site that this happened with was Microsoft
FTP. It never happened (ie FTP always worked fine) with other server
types. The OpenBSD firewall is running ftp-proxy. The internal client
is a linux desktop. Removing the reassemble tcp scrub made the
problem go away and a successful connection/download every time.

We took tcpdumps on both the internal and external interfaces of the
OpenBSD firewall/ftp-proxy.

Looking at our capture on firewall internal interface, the payload of
the first TCP packet after the handshake seems to be ignored.  I see:

 Frames 26, 28, 29:  TCP handshake
 33:  first data from server
 34:  client then immediately sends ACK to server with seq=1
 35:  last of the data from server
 36:  server attempting to close connection
 37, 38:  Client sends two ACKs in quick succession, presumably
responses to 35, 36; sequence number is still 1
 ... server retransmits, client sends same ACKs, etc. until server
gets frustrated and sends a RST

It looks like the MS FTP server is being well-behaved, but each time
some data is received, the internal linux desktop immediately replies
with an ACK denying that any data was received.  This suggests that
it's aware that it's received some packets, but is rejecting the
contents for some reason. Not sure.

Looking at the capture on firewall external interface, is pretty much
the same, except that the second data packet (corresponding to #35) is
completely missing.  This might be a red herring.

Like I said I supply this info just for curiosity. We have it working
now by removing reassemble tcp - maybe its helpful to the PF
developers, maybe not. Below is the screen output from the internal
linux desktop using lftp.

Many thanks,

Alastair Johnson







= NOT Working =
-bash-3.1$ lftp -c open -uA,B 198.80.165.171; debug; ls
 Connecting to 198.80.165.171 (198.80.165.171) port 21
--- 220 Microsoft FTP Service
--- FEAT
--- 530 Please login with USER and PASS.
--- AUTH TLS
--- 500 'AUTH TLS': command not understood
--- USER A
--- 331 Password required for A.
--- PASS B
--- 230-Welcome to Thomson Financial I/B/E/S FTP site.
--- This site is for authorized users only.
--- Any or all uses of this system and all files on
--- this system are monitored, recorded, and audited.
--- LOG OFF IMMEDIATELY if you do not agree to the
--- conditions stated in this warning.
--- 230 User A logged in.
--- FEAT
--- 211-FEAT
--- SIZE
--- MDTM
--- 211 END
--- PWD
--- 257 / is current directory.
--- PASV
--- 227 Entering Passive Mode (198,80,165,171,227,43)
 Connecting data socket to (198.80.165.171) port 58155
 Data connection established
--- LIST
--- 125 Data connection already open; Transfer starting.
--- 226 Transfer complete.
`ls' at 0 [Receiving data]
= Hang at this point ==



= Working =
snip

--- 230 User A logged in.
--- FEAT
--- 211-FEAT
--- SIZE
--- MDTM
--- 211 END
--- PWD
--- 257 / is current directory.
--- PASV
--- 227 Entering Passive Mode (198,80,165,171,198,136)
 Connecting data socket to (198.80.165.171) port 50824
 Data connection established
--- LIST
--- 125 Data connection already open; Transfer starting.
dr-xr-xr-x   1 ownergroup   0 Dec 22  2009 history
... and then more files/directories

pf: reassemble tcp

[nixlists]

Hi.

I have

  match in all scrub (tcp reassemble no-df random-id max-mss 1440)

in my pf.conf (-current)

Unless I remove 'tcp reassemble', one of the web sites (it's a
Windows/IIS) site cannot communicate with me - it hangs loading a
page.

Any ideas?

Re: pf: reassemble tcp

[Henning Brauer]

* nixlists nixmli...@gmail.com [2010-01-13 22:56]:
 Hi.
 
 I have
 
   match in all scrub (tcp reassemble no-df random-id max-mss 1440)
 
 in my pf.conf (-current)
 
 Unless I remove 'tcp reassemble', one of the web sites (it's a
 Windows/IIS) site cannot communicate with me - it hangs loading a
 page.
 
 Any ideas?

yeah, don't use reassemble tcp. it's not perfect.

-- 
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting

Re: pf: reassemble tcp

[Ted]

On Thu, Jan 14, 2010 at 12:46 PM, Henning Brauer lists-open...@bsws.dewrote:


  I have
 
match in all scrub (tcp reassemble no-df random-id max-mss 1440)
 
  in my pf.conf (-current)

 yeah, don't use reassemble tcp. it's not perfect.


How about fragment reassemble?

I'm using it on my OpenBSD 4.5 pf, with scrub to enable a NAT AV app to
work.
Reading the man pages I noticed fragment reassemble has changed to
set reassembleunder scrub for 4.6 or -current.

It also looks like it is turned on by default in 4.5, 4.6 or current.

Re: pf: reassemble tcp

[Henning Brauer]

* Ted t...@pobox.com [2010-01-14 05:03]:
 On Thu, Jan 14, 2010 at 12:46 PM, Henning Brauer lists-open...@bsws.dewrote:
 
 
   I have
  
 match in all scrub (tcp reassemble no-df random-id max-mss 1440)
  
   in my pf.conf (-current)
 
  yeah, don't use reassemble tcp. it's not perfect.
 
 
 How about fragment reassemble?

that is an entirely different beast and should always be on (hey,
surprise, it IS by default!)

reassemble tcp is not the best name really. it is not really
reassembly of anything.

-- 
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting

Re: scrub reassemble tcp and nat causes problems with some sites

[Steve Welham]

 Get tcpdumps on both router interfaces with and without the reassemble
 tcp option. Do this for a similar file on both a working website and
 broken (ebay) website.
 
 On both router interfaces? Wouldn't the external if be enough?

You're probably right. But my theory is that if you're going to go to
the effort of getting some comparable captures you may as well get them
all at the same time. Having both external and internal is helpful for
debugging issues with your router itself - i.e. it would indicate if the
packets arrived looking good and then, after pf, looked bad.

Re: scrub reassemble tcp and nat causes problems with some sitesB

[Walter Haidinger]

On Fri, 21 Jul 2006, Daniel E. Hassler wrote:

 Yes. I called it a Transparent Packet Filter (TPF) - the OpenBSD system is 
 acting as a
 bridge.
 It's transparent because neither of the interfaces has an IP configured.
 
 WAN---PIX---DMZ---TPF---LAN---OS X

Oh yes, I recall that image from one of your posts.
It's a filtering bridge then.

Would be interesting if bridging has something to do with
our reassemble tcp problem...

Perhaps because the if is in promiscuous mode?

However, as I've mentioned earlier, everything works _on_ the gateway
_without_ NAT. But regardless of NAT, all packets cross the bridge
which connects the OpenBSD VM to the external gateway (cablemodem).

Walter

PS: I'll do a cc to the mailing list too to let people know we're 
having a bridge involved.

Re: scrub reassemble tcp and nat causes problems with some sites

[Walter Haidinger]

On Thu, 20 Jul 2006, Steve Welham wrote:

 Get tcpdumps on both router interfaces with and without the reassemble
 tcp option. Do this for a similar file on both a working website and
 broken (ebay) website.

I have now. Got a dump of the following request (all on a single line):
wget -nd -O /dev/null -Y off 
http://de.ebayobjects.com/6k;h=v7/3429/0/0/%2a/b;32478602;0-0;0;8693398;13191-275/73;16963851/16981746/1;;~sscs=%3fhttp://listings.ebay.de/_W0QQsocmdZListingItemList?sofocus=sosbrftog=1catref=C3fccl=1from=R2fcl=4socmd=ListingItemListsatitle=sacat=25863%26catref%3DC6fsop=1%26fsoo%3D1fgtp=a6=-24a56=-24a51=-24a45419=-24gcs=1884pfid=2674reqtype=2pfmode=1alist=a6%2Ca56%2Ca51%2Ca3801%2Ca45419pf_query=sargn=-1%26saslc%3D3sascs=2ga10244=10425saslt=2saprclo=saprchi=so=Artikel+anzeigen;

This is just an URL of one of the ad images displayed on the right
hand side on ebay.de. With reassemble tcp I get reproducible timeouts.

 Then load the comparable captures into Ethereal/Wireshark and stare at
 them until it makes sense :-)

Well, both dumps of working and timing out requests are really quite 
similiar with two notable exceptions:

With reassemble tcp, the received HTTP response packets (HTTP 1.1 ...)
have a BAD packet checksum! However, this is not true all the time, just
sometimes. Would have been to easy anyways...

Interestingly though, the delay between the last packet sent (usually an
ACK) and the next packet received (HTTP continuation) is most of the time 
surprisingly long, ranging from tenths of a second, a couple of seconds 
and upto over a minute and even longer when wget finally times out with
a read error.

Without reassemble tcp, there are no checksum errors and no long 
delays, everything is usually well below 10 ms then. 

Can somebody draw some conclusions from this behaviour?
Or at least have a good guess? ;-)

I've also tried 'set debug load' if pf.conf because of Daniel's 
suggestion in this thread. Occasionally I get a loose state match
but the syslog timestamps do not really correlate with the dump 
timestamps (all ntp synced).

I've saved all the tcpdumps and the wget logs in case somebody wants
to examine them. Just tell me and I'll email them.

Walter

Re: scrub reassemble tcp and nat causes problems with some sitesB

[Walter Haidinger]

On Thu, 20 Jul 2006, Daniel E. Hassler wrote:

 I was hoping he could try 'set debug loud' in his pf.conf and check his
 /var/log/messages file after testing a problem site.
 If he sees messages similar to the one's I've seen maybe we both know a little
 more.

Unfortunately not. When I set debug to load, I just get some 
(not many) 'loose state match' messages in syslog. 

However, not only for the timing out sites, but also for e.g.
pop3 sessions or else. Don't seem to cause any troubles as far
as I can tell.

Walter 

Re: scrub reassemble tcp and nat causes problems with some sites

[Mike Frantzen]

Sorry, 'modulate tcp' was a thinko.  I had been meaning to move
'modulate state' into the scrubber for a long time.

Reassemble TCP does aggressive TCP PAWs checks on the TCP timestamps.
It does the usual PAWs check to make sure a timestamp is not older than
the last echoed value - which is in theory a wrapped sequence number.
It also does its aggressive check to make sure the timestamp did not
increase faster than the fastest clock which the RFC allows - an
attacker can kill a connection by spoofing a higher timestamp.  In
order to prevent blind TCP spoofing PF's scrub will require TCP
timestamps on all data packets if the first data packet had a
timestamp.  There are some transparent web caches out there that will
allow the 3whs to complete (exchanging timestamp information) and then
they will will hijack the TCP connection.  Of course the developers of
the hijacking device took some liberal shortcuts that make them look
just like a blind hijacker instead of a MITM hijacker.  If they hijack
in the middle of the data stream (like after they see the HTTP request)
and stop sending TCP Timestamps then PF's reassemble TCP will block
further packets.

.mike

 What is 'modulate tcp'?
 modulate state works fine.
 I get these errors only with scrub's reassemble tcp option
 I originally assumed it was an Apple problem since I only had trouble 
 with the OS X Software Update feature.
 Going back to the beginning of this thread - Walter Haidinger appears to 
 have a similar problem but not with Apple.
 I was hoping he could try 'set debug loud' in his pf.conf and check his 
 /var/log/messages file after testing a problem site.
 If he sees messages similar to the one's I've seen maybe we both know a 
 little more.
 
 -Dan

Re: scrub reassemble tcp and nat causes problems with some sites

[Walter Haidinger]

On Fri, 21 Jul 2006, Mike Frantzen wrote:

 Reassemble TCP does aggressive TCP PAWs checks on the TCP timestamps.
 It does the usual PAWs check to make sure a timestamp is not older than
 the last echoed value - which is in theory a wrapped sequence number.
 It also does its aggressive check to make sure the timestamp did not
 increase faster than the fastest clock which the RFC allows - an
 attacker can kill a connection by spoofing a higher timestamp.  In
 order to prevent blind TCP spoofing PF's scrub will require TCP
 timestamps on all data packets if the first data packet had a
 timestamp.  There are some transparent web caches out there that will
 allow the 3whs to complete (exchanging timestamp information) and then
 they will will hijack the TCP connection.  Of course the developers of
 the hijacking device took some liberal shortcuts that make them look
 just like a blind hijacker instead of a MITM hijacker.  If they hijack
 in the middle of the data stream (like after they see the HTTP request)
 and stop sending TCP Timestamps then PF's reassemble TCP will block
 further packets.

How does this interfere with the NAT code?

Reassemble tcp has _only_ problems from a machine behind the OpenBSD
NAT router. On the router itself or if using a proxy running on it,
there is no problem.

So I'd think that it is actually an OpenBSD bug in the NAT and/or
reassemble tcp code.

How can this be verified?

Regards, 
Walter

Re: scrub reassemble tcp and nat causes problems with some sites

[viq]

On Friday 21 July 2006 18:38, Walter Haidinger wrote:
 On Fri, 21 Jul 2006, Mike Frantzen wrote:
  Reassemble TCP does aggressive TCP PAWs checks on the TCP timestamps.
  It does the usual PAWs check to make sure a timestamp is not older than
  the last echoed value - which is in theory a wrapped sequence number.
  It also does its aggressive check to make sure the timestamp did not
  increase faster than the fastest clock which the RFC allows - an
  attacker can kill a connection by spoofing a higher timestamp.  In
  order to prevent blind TCP spoofing PF's scrub will require TCP
  timestamps on all data packets if the first data packet had a
  timestamp.  There are some transparent web caches out there that will
  allow the 3whs to complete (exchanging timestamp information) and then
  they will will hijack the TCP connection.  Of course the developers of
  the hijacking device took some liberal shortcuts that make them look
  just like a blind hijacker instead of a MITM hijacker.  If they hijack
  in the middle of the data stream (like after they see the HTTP request)
  and stop sending TCP Timestamps then PF's reassemble TCP will block
  further packets.

 How does this interfere with the NAT code?

 Reassemble tcp has _only_ problems from a machine behind the OpenBSD
 NAT router. On the router itself or if using a proxy running on it,
 there is no problem.

Not sure whether this is relevant, but I had a similiar obscure 'bug' - some 
pages (from what I found most notably anything on *.free.fr) was timing out 
from behind the router, while the router itself was opening those pages 
without any issues. That behaviour disappeared when i commented out the first 
NAT rule I had in pf.conf:
no nat on $ext_if from $int_if to $int_if
Now everything works smoothly...
Changing scrub one way or the other made no difference, most of the time I had 
in there:
scrub in all


 So I'd think that it is actually an OpenBSD bug in the NAT and/or
 reassemble tcp code.

 How can this be verified?

 Regards,
 Walter

-- 
viq

Re: scrub reassemble tcp and nat causes problems with some sites

[Daniel E. Hassler]

Argh - It might help if I explain more. I have an OpenBSD 3.8 system 
running as a transparent packet filter (TPF).
The OS X system is inside ($lanif). Apple's network - CIDR 17/8 is 
outside ($wanif).  A Cisco PIX is doing NAT. IP's on the $wanif side 
that are inside the PIX are considered as DMZ. IP's on the $lanif side 
are considered LAN.


WAN---PIX/NAT---DMZ---TPF---LAN---OS X

Whenever I put a scrub rule with reassemble tcp on $wanif and/or $lanif 
I have trouble with some sites. (e.g. Apple's Software Update). 
setting debug to loud I get the messages I mention below.


-Dan

Daniel E. Hassler wrote:


More info - I ran a test scenario.
Here is a sample of the messages I get via syslog with set debug loud 
and scrub with reassemble tcp trying to run OS X's Software Update.


Jul 19 19:42:37 obsd38 /bsd: pf_normalize_tcp_stateful: Did not 
receive expected RFC1323 timestamp
Jul 19 19:42:37 obsd38 /bsd: TCP 192.168.1.14:65108 192.168.1.14:65108 
17.250.248.95:80 [lo=4276925920 high=4276942304 win=65535 modulator=0 
wscale=0] [lo=708430922 high=708496457 win=16384 modulator=0 wscale=0] 
9:4 A


-Dan

Daniel E. Hassler wrote:


Hi Walter,

I've seen this behavior also. When I  'set debug loud' I got more 
information recorded via syslog.

Some stuff about RFC1323 and bad-timestamp errors.
Below is a section of a pf.conf file. It would be interesting to know 
if you get similar results with

set debug loud when trying to access problem sites.

 


# NORMALIZATION: reduce/resolve ambiguities.
#
scrub on $admif all random-id reassemble tcp
#scrub on $lanif all random-id reassemble tcp
#scrub on $wanif all random-id reassemble tcp
#
# Problem using reassemble tcp on $lanif and/or $wanif
# Mac OS X software update fails.
# bad-timestamp counter increments, RFC1323 errors in syslog with 
debug loud
# All else works fine including other http on OS X. TBD: investigate 
further.

#
scrub on $lanif all random-id fragment reassemble
scrub on $wanif all random-id fragment reassemble

-Dan

Walter Haidinger wrote:


Hi!

I'm running OpenBSD 3.9 GENERIC as a NAT router.

If I add the reassemble tcp option to my scrub rule in pf.conf,
I have trouble connecting to some sites, particulary ebay (ebay.de, 
ebay.at and ebay.com as well as e.g. kaufen.ebay.de) and

some other few sites, from a machine behind the NAT router.
Connects time out or have long delays if the site responds at all.
If connecting directly from OpenBSD, using lynx or squid running on 
the router, there is no problem.


If I omit reassemble tcp everything works fine, i.e. with:
scrub all no-df fragment reassemble random-id

I've never noticed the problem before because I was running the 
squid proxy on the router. Now I've moved it to a different machine

which is NATted too. Please note that it is not a squid issue
as timeouts occur regardless of proxy use if on a NATted machine.

Unfortunately I cannot determine why only some sites have troubles
and that's why I seeking advice here on howto further diagnose
the problem.

Any hints are appreciated!

Regards, Walter


 







--
 _   _   _
  __| | __ _ _ __   | |__   __ _ ___ ___| | ___ _ __
 / _` |/ _` | '_ \  | '_ \ / _` / __/ __| |/ _ \ '__|
| (_| | (_| | | | | | | | | (_| \__ \__ \ |  __/ |
 \__,_|\__,_|_| |_| |_| |_|\__,_|___/___/_|\___|_|

[EMAIL PROTECTED]

Re: scrub reassemble tcp and nat causes problems with some sites

[Mike Frantzen]

You're going to have to turn off 'modulate tcp'.  One of the TCP
endpoints isn't following PAWs and stopped sending the TCP
Timestamps or someone is trying to blind hijack the connection.

 More info - I ran a test scenario.
 Here is a sample of the messages I get via syslog with set debug loud 
 and scrub with reassemble tcp trying to run OS X's Software Update.
 
 Jul 19 19:42:37 obsd38 /bsd: pf_normalize_tcp_stateful: Did not receive 
 expected RFC1323 timestamp
 Jul 19 19:42:37 obsd38 /bsd: TCP 192.168.1.14:65108 192.168.1.14:65108 
 17.250.248.95:80 [lo=4276925920 high=4276942304 win=65535 modulator=0 
 wscale=0] [lo=708430922 high=708496457 win=16384 modulator=0 wscale=0] 9:4 A
 
 -Dan

Re: scrub reassemble tcp and nat causes problems with some sites

[Walter Haidinger]

 It's a stab in the dark but I would start with the assumption that some
 sites are using server load balancing and that reassemble tcp is
 breaking this somehow.

Could be. Lets suspect poor load balancing because other big sites,
which most likely do load balancing too, work. eBay is just the prime
example where it does not...

 Then I'd try and prove that assumption by looking
 at the tcpdumps specifically for how reassemble tcp changes may be
 interfering.

I'd have hoped that there is a less tedious solution... ;-)

 Get tcpdumps on both router interfaces with and without the reassemble
 tcp option. Do this for a similar file on both a working website and
 broken (ebay) website.

On both router interfaces? Wouldn't the external if be enough?

 Tips on doing this:

[well appreciated tips cut]

 Then load the comparable captures into Ethereal/Wireshark and stare at
 them until it makes sense :-)

That's the tedious part! ;-)

Thanks, Walter

Re: scrub reassemble tcp and nat causes problems with some sites

[Daniel E. Hassler]

What is 'modulate tcp'?
modulate state works fine.
I get these errors only with scrub's reassemble tcp option
I originally assumed it was an Apple problem since I only had trouble 
with the OS X Software Update feature.
Going back to the beginning of this thread - Walter Haidinger appears to 
have a similar problem but not with Apple.
I was hoping he could try 'set debug loud' in his pf.conf and check his 
/var/log/messages file after testing a problem site.
If he sees messages similar to the one's I've seen maybe we both know a 
little more.


-Dan


Mike Frantzen wrote:


You're going to have to turn off 'modulate tcp'.  One of the TCP
endpoints isn't following PAWs and stopped sending the TCP
Timestamps or someone is trying to blind hijack the connection.

 


More info - I ran a test scenario.
Here is a sample of the messages I get via syslog with set debug loud 
and scrub with reassemble tcp trying to run OS X's Software Update.


Jul 19 19:42:37 obsd38 /bsd: pf_normalize_tcp_stateful: Did not receive 
expected RFC1323 timestamp
Jul 19 19:42:37 obsd38 /bsd: TCP 192.168.1.14:65108 192.168.1.14:65108 
17.250.248.95:80 [lo=4276925920 high=4276942304 win=65535 modulator=0 
wscale=0] [lo=708430922 high=708496457 win=16384 modulator=0 wscale=0] 9:4 A


-Dan
   






 



--
 _   _   _
  __| | __ _ _ __   | |__   __ _ ___ ___| | ___ _ __
 / _` |/ _` | '_ \  | '_ \ / _` / __/ __| |/ _ \ '__|
| (_| | (_| | | | | | | | | (_| \__ \__ \ |  __/ |
 \__,_|\__,_|_| |_| |_| |_|\__,_|___/___/_|\___|_|

[EMAIL PROTECTED]

scrub reassemble tcp and nat causes problems with some sites

[Walter Haidinger]

Hi!

I'm running OpenBSD 3.9 GENERIC as a NAT router.

If I add the reassemble tcp option to my scrub rule in pf.conf,
I have trouble connecting to some sites, particulary ebay (ebay.de, 
ebay.at and ebay.com as well as e.g. kaufen.ebay.de) and
some other few sites, from a machine behind the NAT router. 

Connects time out or have long delays if the site responds at all.
If connecting directly from OpenBSD, using lynx or squid running on 
the router, there is no problem.

If I omit reassemble tcp everything works fine, i.e. with:
scrub all no-df fragment reassemble random-id

I've never noticed the problem before because I was running the 
squid proxy on the router. Now I've moved it to a different machine
which is NATted too. Please note that it is not a squid issue
as timeouts occur regardless of proxy use if on a NATted machine.

Unfortunately I cannot determine why only some sites have troubles
and that's why I seeking advice here on howto further diagnose
the problem.

Any hints are appreciated!

Regards, 
Walter  

Re: scrub reassemble tcp and nat causes problems with some sites

[Sebastian Benoit]

Walter Haidinger([EMAIL PROTECTED]) on 2006.07.19 12:28:52 +:
 Hi!

 I'm running OpenBSD 3.9 GENERIC as a NAT router.

 If I add the reassemble tcp option to my scrub rule in pf.conf,
 I have trouble connecting to some sites, particulary ebay (ebay.de,
 ebay.at and ebay.com as well as e.g. kaufen.ebay.de) and
 some other few sites, from a machine behind the NAT router.

 Connects time out or have long delays if the site responds at all.
 If connecting directly from OpenBSD, using lynx or squid running on
 the router, there is no problem.

This sounds like a MTU problem. Either those sites are blocking
ICMP-frag-needed messages or you are.

 - set the correct MTU
 - check pf.conf for scrub max-mss [...]
 - google
 - why do you use no-df?

/B.

[demime 1.01d removed an attachment of type application/pgp-signature]

Re: scrub reassemble tcp and nat causes problems with some sites

[Walter Haidinger]

On Wed, 19 Jul 2006, Sebastian Benoit wrote:

 This sounds like a MTU problem. Either those sites are blocking

Unlikely. I have cable, not a PPTP/PPPoE link. Therefore, no packet
encapsulation. I'm aware of the MTU issue with ADSL.

 ICMP-frag-needed messages or you are.

I think I am. _Only_ reassemble tcp breaks things, but why?

  - set the correct MTU
  - check pf.conf for scrub max-mss [...]

No changes necessary, IMHO. 

  - google

Have done this, of course. Turned up e.g.: 
http://www.benzedrine.cx/pf/msg07352.html
http://monkey.org/openbsd/archive/bugs/0312/msg00059.html

Similar problem but no solution.

  - why do you use no-df?

Because of the NFS issue mentionied in pf.conf(5) and the FAQ.
May not be useful on the external interface, though.
However, the problem persists even without no-df.

Regards, 
Walter

Re: scrub reassemble tcp and nat causes problems with some sites

[Steve Welham]

 Unfortunately I cannot determine why only some sites have troubles
 and that's why I seeking advice here on howto further diagnose
 the problem.
 
 Any hints are appreciated!

It's a stab in the dark but I would start with the assumption that some
sites are using server load balancing and that reassemble tcp is
breaking this somehow. Then I'd try and prove that assumption by looking
at the tcpdumps specifically for how reassemble tcp changes may be
interfering.

Get tcpdumps on both router interfaces with and without the reassemble
tcp option. Do this for a similar file on both a working website and
broken (ebay) website.

Tips on doing this:
- be careful not to filter too much, you might miss an important icmp
reply from an interim router
- make sure tcpdump's snaplen is big enough to get all the headers -
including http
- try and replicate the issue with small html files so the packet
captures aren't too busy
- ensure that each capture sees the tcp handshake and FIN

Then load the comparable captures into Ethereal/Wireshark and stare at
them until it makes sense :-)

Steve

Re: scrub reassemble tcp and nat causes problems with some sites

[Daniel E. Hassler]

Hi Walter,

I've seen this behavior also. When I  'set debug loud' I got more 
information recorded via syslog.

Some stuff about RFC1323 and bad-timestamp errors.
Below is a section of a pf.conf file. It would be interesting to know if 
you get similar results with

set debug loud when trying to access problem sites.


# NORMALIZATION: reduce/resolve ambiguities.
#
scrub on $admif all random-id reassemble tcp
#scrub on $lanif all random-id reassemble tcp
#scrub on $wanif all random-id reassemble tcp
#
# Problem using reassemble tcp on $lanif and/or $wanif
# Mac OS X software update fails.
# bad-timestamp counter increments, RFC1323 errors in syslog with debug loud
# All else works fine including other http on OS X. TBD: investigate 
further.

#
scrub on $lanif all random-id fragment reassemble
scrub on $wanif all random-id fragment reassemble

-Dan

Walter Haidinger wrote:


Hi!

I'm running OpenBSD 3.9 GENERIC as a NAT router.

If I add the reassemble tcp option to my scrub rule in pf.conf,
I have trouble connecting to some sites, particulary ebay (ebay.de, 
ebay.at and ebay.com as well as e.g. kaufen.ebay.de) and
some other few sites, from a machine behind the NAT router. 


Connects time out or have long delays if the site responds at all.
If connecting directly from OpenBSD, using lynx or squid running on 
the router, there is no problem.


If I omit reassemble tcp everything works fine, i.e. with:
scrub all no-df fragment reassemble random-id

I've never noticed the problem before because I was running the 
squid proxy on the router. Now I've moved it to a different machine

which is NATted too. Please note that it is not a squid issue
as timeouts occur regardless of proxy use if on a NATted machine.

Unfortunately I cannot determine why only some sites have troubles
and that's why I seeking advice here on howto further diagnose
the problem.

Any hints are appreciated!

Regards, 
Walter  





 



--
 _   _   _
  __| | __ _ _ __   | |__   __ _ ___ ___| | ___ _ __
 / _` |/ _` | '_ \  | '_ \ / _` / __/ __| |/ _ \ '__|
| (_| | (_| | | | | | | | | (_| \__ \__ \ |  __/ |
 \__,_|\__,_|_| |_| |_| |_|\__,_|___/___/_|\___|_|

[EMAIL PROTECTED]

Re: scrub reassemble tcp and nat causes problems with some sites

[Daniel E. Hassler]

More info - I ran a test scenario.
Here is a sample of the messages I get via syslog with set debug loud 
and scrub with reassemble tcp trying to run OS X's Software Update.


Jul 19 19:42:37 obsd38 /bsd: pf_normalize_tcp_stateful: Did not receive 
expected RFC1323 timestamp
Jul 19 19:42:37 obsd38 /bsd: TCP 192.168.1.14:65108 192.168.1.14:65108 
17.250.248.95:80 [lo=4276925920 high=4276942304 win=65535 modulator=0 
wscale=0] [lo=708430922 high=708496457 win=16384 modulator=0 wscale=0] 9:4 A


-Dan

Daniel E. Hassler wrote:


Hi Walter,

I've seen this behavior also. When I  'set debug loud' I got more 
information recorded via syslog.

Some stuff about RFC1323 and bad-timestamp errors.
Below is a section of a pf.conf file. It would be interesting to know 
if you get similar results with

set debug loud when trying to access problem sites.

 


# NORMALIZATION: reduce/resolve ambiguities.
#
scrub on $admif all random-id reassemble tcp
#scrub on $lanif all random-id reassemble tcp
#scrub on $wanif all random-id reassemble tcp
#
# Problem using reassemble tcp on $lanif and/or $wanif
# Mac OS X software update fails.
# bad-timestamp counter increments, RFC1323 errors in syslog with 
debug loud
# All else works fine including other http on OS X. TBD: investigate 
further.

#
scrub on $lanif all random-id fragment reassemble
scrub on $wanif all random-id fragment reassemble

-Dan

Walter Haidinger wrote:


Hi!

I'm running OpenBSD 3.9 GENERIC as a NAT router.

If I add the reassemble tcp option to my scrub rule in pf.conf,
I have trouble connecting to some sites, particulary ebay (ebay.de, 
ebay.at and ebay.com as well as e.g. kaufen.ebay.de) and

some other few sites, from a machine behind the NAT router.
Connects time out or have long delays if the site responds at all.
If connecting directly from OpenBSD, using lynx or squid running on 
the router, there is no problem.


If I omit reassemble tcp everything works fine, i.e. with:
scrub all no-df fragment reassemble random-id

I've never noticed the problem before because I was running the squid 
proxy on the router. Now I've moved it to a different machine

which is NATted too. Please note that it is not a squid issue
as timeouts occur regardless of proxy use if on a NATted machine.

Unfortunately I cannot determine why only some sites have troubles
and that's why I seeking advice here on howto further diagnose
the problem.

Any hints are appreciated!

Regards, Walter 




 





--
 _   _   _
  __| | __ _ _ __   | |__   __ _ ___ ___| | ___ _ __
 / _` |/ _` | '_ \  | '_ \ / _` / __/ __| |/ _ \ '__|
| (_| | (_| | | | | | | | | (_| \__ \__ \ |  __/ |
 \__,_|\__,_|_| |_| |_| |_|\__,_|___/___/_|\___|_|

[EMAIL PROTECTED]