Home » Mailing list archives » openbsd-misc » 2010 » January » 15

reassemble tcp

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
[view in full thread]
From: Alessandro Baggi
Subject: reassemble tcp
Date: Friday, January 15, 2010 - 1:33 pm

Hi there. I've a problem with pf on OpenBSD 4.6

After different test, I've been reduced my pf.conf to those rules:

macros....
set block-policy drop
match all scrub (no-df, random-id, reassemble tcp, max-mss 1440)
nat on $ext from $int:network -> $ext:0
block log all
pass in on $int from any to any
pass out on $ext from $ext:0 to any


pfctl get all rules without errors, but I've problem during connection.
If I try to get login with pidgin (MSN) from slackware Linux It doesn't 
work.
If I try to get login with pidgin proxied from slackware it works.
I've tried also to remove reassemble tcp from the scrub and it works
If I try to get login with MSN from windows (proxied, with reassemble 
tcp, and no proxy) It works.

In all Linux pidgin failed connection I receive this:


 connection: Connection error on 0x8551180 (reason: 0 description: 
Connection error from Notification server: Reading error)
 
But the connection will be dropped? (I receive also a block log of ack 
for the pidgin connection)

Another problem with reassemble tcp is with windows boot. I receive from 
syslog those messages:

block in on rl0: 10.1.3.53.137 > 10.1.255.255.137: udp 50

If I remove reassemble tcp It works fine.
I've tried also with a pass all rules...but with the same result. It's 
possible that a scrub with reassemble tcp option, blocks some packet?
What is the reason for this?

It's a my misconfiguration or is a normal behaviuour?

Thanks in advance!
Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
Messages in current thread:
reassemble tcp, Alessandro Baggi, (Fri Jan 15, 1:33 pm)
Re: reassemble tcp, Ted Unangst, (Fri Jan 15, 1:41 pm)
Re: reassemble tcp, Alessandro Baggi, (Fri Jan 15, 3:36 pm)