Argh - It might help if I explain more. I have an OpenBSD 3.8 system
running as a transparent packet filter (TPF).
The OS X system is inside ($lanif). Apple's network - CIDR 17/8 is
outside ($wanif). A Cisco PIX is doing NAT. IP's on the $wanif side
that are inside the PIX are considered as DMZ. IP's on the $lanif side
are considered LAN.

WAN<--->PIX/NAT<--->DMZ<--->TPF<--->LAN<--->OS X

Whenever I put a scrub rule with reassemble tcp on $wanif and/or $lanif
I have trouble with some sites. (e.g. Apple's "Software Update").
setting debug to loud I get the messages I mention below.

-Dan

Daniel E. Hassler wrote:

> More info - I ran a test scenario.
> Here is a sample of the messages I get via syslog with set debug loud
> and scrub with reassemble tcp trying to run OS X's "Software Update".
>
> Jul 19 19:42:37 obsd38 /bsd: pf_normalize_tcp_stateful: Did not
> receive expected RFC1323 timestamp
> Jul 19 19:42:37 obsd38 /bsd: TCP 192.168.1.14:65108 192.168.1.14:65108
> 17.250.248.95:80 [lo=4276925920 high=4276942304 win=65535 modulator=0
> wscale=0] [lo=708430922 high=708496457 win=16384 modulator=0 wscale=0]
> 9:4 A
>
> -Dan
>
> Daniel E. Hassler wrote:
>
>> Hi Walter,
>>
>> I've seen this behavior also. When I 'set debug loud' I got more
>> information recorded via syslog.
>> Some stuff about RFC1323 and bad-timestamp errors.
>> Below is a section of a pf.conf file. It would be interesting to know
>> if you get similar results with
>> set debug loud when trying to access problem sites.
>>
>> ################################################## ##############################
>>
>> # NORMALIZATION: reduce/resolve ambiguities.
>> #
>> scrub on $admif all random-id reassemble tcp
>> #scrub on $lanif all random-id reassemble tcp
>> #scrub on $wanif all random-id reassemble tcp
>> #
>> # Problem using "reassemble tcp" on $lanif and/or $wanif
>> # Mac OS X "software update" fails.
>> # bad-timestamp counter increments, RFC1323 errors in syslog with
>> debug loud
>> # All else works fine including other http on OS X. TBD: investigate
>> further.
>> #
>> scrub on $lanif all random-id fragment reassemble
>> scrub on $wanif all random-id fragment reassemble
>>
>> -Dan
>>
>> Walter Haidinger wrote:
>>
>>> Hi!
>>>
>>> I'm running OpenBSD 3.9 GENERIC as a NAT router.
>>>
>>> If I add the "reassemble tcp" option to my scrub rule in pf.conf,
>>> I have trouble connecting to some sites, particulary ebay (ebay.de,
>>> ebay.at and ebay.com as well as e.g. kaufen.ebay.de) and
>>> some other few sites, from a machine behind the NAT router.
>>> Connects time out or have long delays if the site responds at all.
>>> If connecting directly from OpenBSD, using lynx or squid running on
>>> the router, there is no problem.
>>>
>>> If I omit "reassemble tcp" everything works fine, i.e. with:
>>> scrub all no-df fragment reassemble random-id
>>>
>>> I've never noticed the problem before because I was running the
>>> squid proxy on the router. Now I've moved it to a different machine
>>> which is NATted too. Please note that it is not a squid issue
>>> as timeouts occur regardless of proxy use if on a NATted machine.
>>>
>>> Unfortunately I cannot determine why only some sites have troubles
>>> and that's why I seeking advice here on howto further diagnose
>>> the problem.
>>>
>>> Any hints are appreciated!
>>>
>>> Regards, Walter
>>>
>>>
>>>
>>>
>>
>

--
_ _ _
__| | __ _ _ __ | |__ __ _ ___ ___| | ___ _ __
/ _` |/ _` | '_ \ | '_ \ / _` / __/ __| |/ _ \ '__|
| (_| | (_| | | | | | | | | (_| \__ \__ \ | __/ |
\__,_|\__,_|_| |_| |_| |_|\__,_|___/___/_|\___|_|

hassler@speakeasy.net