Re: scrub reassemble tcp and nat causes problems with some sites

Wed, 19 Jul 2006 17:33:47 -0700 

Hi Walter,
I've seen this behavior also. When I 'set debug loud' I got more information recorded via syslog. 
Some stuff about RFC1323 and bad-timestamp errors.
Below is a section of a pf.conf file. It would be interesting to know if you get similar results with 
set debug loud when trying to access problem sites.

################################################################################
# NORMALIZATION: reduce/resolve ambiguities.
#
scrub on $admif all random-id reassemble tcp
#scrub on $lanif all random-id reassemble tcp
#scrub on $wanif all random-id reassemble tcp
#
# Problem using "reassemble tcp" on $lanif and/or $wanif
# Mac OS X "software update" fails.
# bad-timestamp counter increments, RFC1323 errors in syslog with debug loud
# All else works fine including other http on OS X. TBD: investigate further. 
#
scrub on $lanif all random-id fragment reassemble
scrub on $wanif all random-id fragment reassemble

-Dan

Walter Haidinger wrote:


Hi!

I'm running OpenBSD 3.9 GENERIC as a NAT router.

If I add the "reassemble tcp" option to my scrub rule in pf.conf,
I have trouble connecting to some sites, particulary ebay (ebay.de, ebay.at and ebay.com as well as e.g. kaufen.ebay.de) and some other few sites, from a machine behind the NAT router. 
Connects time out or have long delays if the site responds at all.
If connecting directly from OpenBSD, using lynx or squid running on the router, there is no problem. 

If I omit "reassemble tcp" everything works fine, i.e. with:
scrub all no-df fragment reassemble random-id
I've never noticed the problem before because I was running the squid proxy on the router. Now I've moved it to a different machine 
which is NATted too. Please note that it is not a squid issue
as timeouts occur regardless of proxy use if on a NATted machine.

Unfortunately I cannot determine why only some sites have troubles
and that's why I seeking advice here on howto further diagnose
the problem.

Any hints are appreciated!
Regards, Walter 





--
     _               _                   _
  __| | __ _ _ __   | |__   __ _ ___ ___| | ___ _ __
 / _` |/ _` | '_ \  | '_ \ / _` / __/ __| |/ _ \ '__|
| (_| | (_| | | | | | | | | (_| \__ \__ \ |  __/ |
 \__,_|\__,_|_| |_| |_| |_|\__,_|___/___/_|\___|_|

[EMAIL PROTECTED]

Reply via email to