We recently upgrade a firewall from OpenBSD 3.5 to 3.9 . More precisely, we
made a fresh install of 3.9 and then copied some configurations files
(namely, hostname.xxx and pf.conf). All went flawlessly. But we discovered
that some TCP connections were broken. Two such situations :
o Usage of AFNIC's ZoneCheck (a tool by the french registry maintaining the
.fr zone) failed 9 times out of 10, complaining that the DNS servers didn't
respond to TCP connexion
o A client wasn't able to access his website anymore through their proxy (a
linux box with apache 2.0.54 proxy) without many delays and broken images.
When accessing the web directly from their WindowsXP boxes, all was fine
o Only a very small portion of the TCP trafic was affected, but it was
We found out that the incriminated TCP connections were totally broken. For
instance, when the ZoneCheck tool connected to the DNS server, many
duplicated ACK and out-of-order packets were floating around. It was like
the ZoneCheck tool didn't received our ACKs or was rejecting them. Upong
carefull inspection (and given my not-so-brilliant tcp knowledge) intial
packets were looking good and shouldn't have generated this garbage storm.
When the DNS server was placed directly on the Internet side all was fine.
The clearly was a PF problem. After playing with the filter rules to no
avail (just to be sure nothing was blocked by error), I checked the state
options, scrub and antispoof commands. The culprit was the "reassemble tcp"
option of the scrub command. Remove it, and all was back to normal. So the
perfectly working pf.conf we used for months needed this one change not to
break tcp connections.
In the pf changelog from 3.5 to 3.9, I noticed some changes associated to
the scrub command, but nothing suggesting such a behaviour. Am I the only
one seeing this, is it a "by design" thing that I don't understand, or is it
a known problem ?
Thanks in advance.