1

First of all: excuse me for my poor usage of the English language.

For several years I'm experiencing problems with the 'match in all scrub (no-df)' rule in pf. I can't find out what's happening here.

I'll try to be clear and simple. The pf.conf has been extremely shortened for this forum posting.

Here is my pf.conf:

set skip on lo0
match in all scrub (no-df)
block all
block in quick from urpf-failed
pass in on em0 proto tcp from any to 213.125.xxx.xxx port 80 synproxy state
pass in on em0 proto tcp from any to 213.125.xxx.xxx port 443 synproxy state
pass out on em0 from 213.125.xxx.xxx to any modulate state

HTTP and HTTPS are working fine. Until the moment a customer in France (Wanadoo DSL) couldn't view HTTPS pages! I blamed his provider and did no investigation on that problem.

But then... I bought an Android Samsung Galaxy SII (Vodafone) to monitor my servers. Hours after I walked out of the telephone store: no HTTPS-connections on my server! I thought my servers were down, drove back to the office very fast. But they were up.

I discovered that disabling the rule

match in all scrub (no-df)

solves the problem. Android phone (Vodafone NL) and Wanadoo DSL FR are now OK on HTTPS.

But now I don't have any scrubbing anymore. This is not what I want.

Does anyone here understand what is going on? I don't. Enabling scrubbing causes HTTPS webpages not to be loaded on SOME ISP's, but not all.

In systat, I strangely DO see a state created and packets received from those ISP's...

Still confused. I'm using OpenBSD 5.1/amd64 and OpenBSD 5.0/i386. I have two ISP's at my office (one DSL and one cable). Affects both.

This can be reproduced quite easily. I hope someone has experience with this problem.

Greetings,

Frank

Frank ter V.
  • 19
  • 1
  • 2
  • I don't find this clearly expressed. What is topology -- where's PF, where're HTTPs and so on. Lots of words, but rather messy. – poige Jun 28 '14 at 06:33
  • At your point I'd try tcpdumping the traffic to/from a mobile client with the rule enabled and disabled and compare the output. That would probably tell the tale ... – Fox May 14 '15 at 11:51

2 Answers2

1

From what I read at the pf.conf manpage you may need to change the rule to:

match in all scrub (no-df random-id)
adamo
  • 6,925
  • 3
  • 30
  • 58
  • Hi, thanks for that answer. Still not working. I changed it to match all scrub (random-id min-ttl 64 set-tos ef max-mss 1440 reassemble tcp) Maybe my own answer is too easy, but: we can only conclude that packets from those networks ARE fragmented. So they're blocked... – Frank ter V. Jul 28 '12 at 18:22
0

As to me it looks very like you're having problems blocking ICMP which is integral part of TCP/IP, actually. ICMP is being used at least for Path MTU discovery. Excerpt from FreeBSD's handbook, PF's section:

The ICMP protocol sends and receives control messages between hosts and gateways, mainly to provide feedback to a sender about any unusual or difficult conditions enroute to the target host. Routers use ICMP to negotiate packet sizes and other transmission parameters in a process often referred to as path MTU discovery.

PMTU works exactly using DF which you clears off unless scrub rules is removed.

poige
  • 9,448
  • 2
  • 25
  • 52