[UCIMC-Tech] Google access vs. OpenBSD firewall config

Stuart Levy slevy at ncsa.uiuc.edu
Wed Sep 24 17:33:36 CDT 2008 

On Wed, Sep 24, 2008 at 03:44:30PM -0500, David Young wrote:
   [re the 'can't reach google' problem from the IMC network']

> IIRC, Josh King wrote previously that IMC has an OpenBSD/PF firewall.
> There is a harmful interaction between the firewall and TCP window
> scaling.

Oh thanks -- that sounds familiar -- and helpful!

Googling for that intersection turns up a snippet from the
bottom of this page, talking about the OpenBSD "pf" filewall system:

     http://fatsquirrel.org/veghead/wot/openbsd.html

`` "Window scaling" is a TCP option that can cause all sorts of problems
  with network devices that don't know about it [...]

  The good news: pf handles [window scaling] perfectly well,
  providing you follow these simple rules:

    * Block everything by default
    * Ensure all 'pass' rules applying to TCP have both 'keep state' and 'flags S/SA'.
  [...]

    If state is created on a subsequent packet (like when the SYN is
    accidentally passed without creating state, and state is created on
    the returning SYN+ACK), pf has missed the window scaling negotiation
    containing the scaling factors, and will eventually stall
    connections. Each peer's scaling factor is only seen in its SYN packet,
    and can't be deduced later on.
  ''



Who has access to the router machine?   Can someone check whether
the filewall configuration (wherever it is -- /etc/pf.conf?)
contains what's needed according to the advice below?


Looking at the "pf" FAQ,
   http://www.openbsd.org/faq/pf/filter.html


``To create a default deny filter policy, the first two filter rules should be:

    block in  all
    block out all 
   ''

and, under Keeping State,

``  Starting in OpenBSD 4.1, all filter rules automatically create a state entry
    when a packet matches the rule. In earlier versions of OpenBSD the filter rule
    had to explicitly use the keep state option.

    Example using OpenBSD 4.1 and later:

	pass out on fxp0 proto tcp from any to any 

    Example using OpenBSD 4.0 and earlier:

	pass out on fxp0 proto tcp from any to any keep state 
   ''

or, to properly process things like ICMP pings too,

     pass out on eth0 proto { tcp, udp, icmp } from any to any keep state

More information about the IMC-Tech mailing list