[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pf reassemble tcp problem in latest snapshot?



For those following this thread and having the same problem, I've been
doing this successfully:

scrub on $ExtIF from any to swscan.apple.com random-id
scrub on $ExtIF from swscan.apple.com to any random-id
scrub on $ExtIF random-id reassemble tcp

We've taken the uninteresting parts of the conversation off this list.

> > >
> > > It's a slippery slope.  RFC1323 doesn't specifically require including a
> > > TCP timestamp on all data packets.  But it is implicitly required for
> > > PAWS to make any sense at all.  In the high speed TCP world, Apple is
> > > doing the equivalent of not checking sequence numbers.
> > >
> > > We have a workaround in PF for load balancers that timestamp on the 3whs
> > > but then strip timestamps off all further packets.  I don't see a direct
> > > workaround for this in the code.
> > >
> > > If it affects all MacOS systems, you can try replacing your scrub rule
> > > with these two:
> > >   scrub on fxp0 from os MacOS no-df random-id
> > >   scrub on fxp0 all no-df random-id reassemble tcp
> > >
> > > Or possibly use the FreeBSD fingerprint (iirc MacOS X uses the FreeBSD
> > > 4.x TCP stack)
> > >
> > > .mike