[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: scrub problems with 3.5 -> 3.6 upgrade

I found a similar problem over the weekend where I was getting very slow responses and some outright failures from some websites through a freshly installed 3.6 firewall. Turning off reassemble tcp brought everything back up to speed. Under 3.5 I never experienced any problems. Setup is a VIA Eden box with internal nic and a 3com 905c-tx, stock 3.6 install.

-David Powers

Toni wrote:

I upgraded my transparent bridge firewall. Old server was running OpenBSD 3.5 with 3com (xl) nics, new is OpenBSD 3.6 with Intel (em) nics. Same ruleset.

With old machine (3.5), this worked perfectly:

# Scrub (normalize) packets
scrub on $ext_if all random-id reassemble tcp fragment reassemble

With new machine (3.6), I started to get immediately some connection errors from both side of the firewall. For example:

From inside to out:

I was not able to get any HTTP replies from some IIS servers. For example, this happened with simply trying to wget a file from that remote server.

For testing purposes, I did telnet to port 80 of that IIS server, connection established, but no reply to my "GET / HTTP/1.0" command.

From outside to in:

I was not able to connect to my own mail server (using IMAP protocol) from internet. This problem existed only with some email clients (for example Nokia S80 phone client). Some windows clients (like Thunderbird, XP with SP2) worked ok. I had no time to test more.

Both of these worked with 3.5 for sure and both of these were solved immediately when I changed scrub settings with 3.6 to:

# Scrub (normalize) packets
scrub in on $ext_if all fragment reassemble
scrub out on $ext_if all random-id

I guess the problem is with the "reassemble tcp" (not sure). An issue I found I've asked about almost exactly a year ago also... :)

http://www.mail-archive.com/[email protected]/msg03228.html

I'd really like to keep using "reassemble tcp". What changes has been done between 3.5 and 3.6 what could affect scrub? (sorry I admit, I haven't yet read all the archives or done RTFM's since 3.5) Is there a patch available to 3.6 for this issue?

Best regards,