Re: Scrub reassemble tcp
the entire scrubbing idea is pretty much abandoned these days. it was a hot topic in the early 2000s (for everybody, not just us). no, don't use tcp reassemble. * Evaldas Auryla evaldas.aur...@edqm.eu [2014-11-21 18:20]: On 2014-11-14 14:54, Henning Brauer wrote: Is anyone using reassemble tcp with scrub ? Been using this for years without problems, you just didn't notice the problems or didn't hit them. Reassemble tcp isn't 100%, unfortunately, and never was. No changes in ages either. Well, nobody raised a hand, so let's say I didn't notice. hitting it more often now isn't too surprising given the increasing use of windows scaling etc. I see, so would you recommend to not use it ? As a workaround I tried declaring second scrub line targeting this specific system with to IP.. syntax, and pf accepted it, but then it seems to be ignored. Thanks!
Re: Scrub reassemble tcp
On 2014-11-14 14:54, Henning Brauer wrote: Is anyone using reassemble tcp with scrub ? Been using this for years without problems, you just didn't notice the problems or didn't hit them. Reassemble tcp isn't 100%, unfortunately, and never was. No changes in ages either. Well, nobody raised a hand, so let's say I didn't notice. hitting it more often now isn't too surprising given the increasing use of windows scaling etc. I see, so would you recommend to not use it ? As a workaround I tried declaring second scrub line targeting this specific system with to IP.. syntax, and pf accepted it, but then it seems to be ignored. Thanks!
Re: Scrub reassemble tcp
* Evaldas Auryla evaldas.aur...@edqm.eu [2014-11-13 19:30]: Is anyone using reassemble tcp with scrub ? Been using this for years without problems, you just didn't notice the problems or didn't hit them. Reassemble tcp isn't 100%, unfortunately, and never was. No changes in ages either. hitting it more often now isn't too surprising given the increasing use of windows scaling etc. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, AG Hamburg HRB 128289, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, VMs/PVS, Application Hosting
Re: scrub reassemble tcp and nat causes problems with some sites
Argh - It might help if I explain more. I have an OpenBSD 3.8 system running as a transparent packet filter (TPF). The OS X system is inside ($lanif). Apple's network - CIDR 17/8 is outside ($wanif). A Cisco PIX is doing NAT. IP's on the $wanif side that are inside the PIX are considered as DMZ. IP's on the $lanif side are considered LAN. WAN---PIX/NAT---DMZ---TPF---LAN---OS X Whenever I put a scrub rule with reassemble tcp on $wanif and/or $lanif I have trouble with some sites. (e.g. Apple's Software Update). setting debug to loud I get the messages I mention below. -Dan Daniel E. Hassler wrote: More info - I ran a test scenario. Here is a sample of the messages I get via syslog with set debug loud and scrub with reassemble tcp trying to run OS X's Software Update. Jul 19 19:42:37 obsd38 /bsd: pf_normalize_tcp_stateful: Did not receive expected RFC1323 timestamp Jul 19 19:42:37 obsd38 /bsd: TCP 192.168.1.14:65108 192.168.1.14:65108 17.250.248.95:80 [lo=4276925920 high=4276942304 win=65535 modulator=0 wscale=0] [lo=708430922 high=708496457 win=16384 modulator=0 wscale=0] 9:4 A -Dan Daniel E. Hassler wrote: Hi Walter, I've seen this behavior also. When I 'set debug loud' I got more information recorded via syslog. Some stuff about RFC1323 and bad-timestamp errors. Below is a section of a pf.conf file. It would be interesting to know if you get similar results with set debug loud when trying to access problem sites. # NORMALIZATION: reduce/resolve ambiguities. # scrub on $admif all random-id reassemble tcp #scrub on $lanif all random-id reassemble tcp #scrub on $wanif all random-id reassemble tcp # # Problem using reassemble tcp on $lanif and/or $wanif # Mac OS X software update fails. # bad-timestamp counter increments, RFC1323 errors in syslog with debug loud # All else works fine including other http on OS X. TBD: investigate further. # scrub on $lanif all random-id fragment reassemble scrub on $wanif all random-id fragment reassemble -Dan Walter Haidinger wrote: Hi! I'm running OpenBSD 3.9 GENERIC as a NAT router. If I add the reassemble tcp option to my scrub rule in pf.conf, I have trouble connecting to some sites, particulary ebay (ebay.de, ebay.at and ebay.com as well as e.g. kaufen.ebay.de) and some other few sites, from a machine behind the NAT router. Connects time out or have long delays if the site responds at all. If connecting directly from OpenBSD, using lynx or squid running on the router, there is no problem. If I omit reassemble tcp everything works fine, i.e. with: scrub all no-df fragment reassemble random-id I've never noticed the problem before because I was running the squid proxy on the router. Now I've moved it to a different machine which is NATted too. Please note that it is not a squid issue as timeouts occur regardless of proxy use if on a NATted machine. Unfortunately I cannot determine why only some sites have troubles and that's why I seeking advice here on howto further diagnose the problem. Any hints are appreciated! Regards, Walter -- _ _ _ __| | __ _ _ __ | |__ __ _ ___ ___| | ___ _ __ / _` |/ _` | '_ \ | '_ \ / _` / __/ __| |/ _ \ '__| | (_| | (_| | | | | | | | | (_| \__ \__ \ | __/ | \__,_|\__,_|_| |_| |_| |_|\__,_|___/___/_|\___|_| [EMAIL PROTECTED]
Re: scrub reassemble tcp rule
On Fri, Aug 22, 2003 at 03:28:52PM -0700, Adam Getchell wrote: scrub on $ext_if all reassemble tcp Doesn't work. Define doesn't work. Is your pf kernel and userland new enough to support tcp reassembly? Mike added this feature to 3.3-current around May this year. Are you using a new enough -current? Are kernel and userland in sync? Does the rule produce an error from pfctl when you try to load it? What's the precise error message? How is $ext_if defined? Or does it load, but not have the effect you expect? In that case describe what you expect and what you observe is different. Daniel
Re: scrub reassemble tcp rule
On Fri, Aug 22, 2003 at 03:28:52PM -0700, Adam Getchell wrote: Hi all, This rule: scrub on $ext_if all reassemble tcp Doesn't work. I've looked at the man pages, and it seems as though it should. What am I missing? Must have missed it: reassemble tcp Statefully normalizes TCP connections. scrub reassemble tcp rules may not have the direction (in/out) specified. ^^
