Hello,
I have problems to load some websites (e.g. www.hit.de, www.lidl.de,
www.ebay.de, www.ebay.com). They are very slow if they show up.
I have this problem since this morning, when I changed our old cisco
router with our new OpenBSD Firewall.
Other sites load normal.
Here is the network
$srcnet----openbsd-box------$src_ext
|
---internet
(the OpenbsdBox has a regular IP-Address and an Alias from Class B
$src_ext, therefore there is the exclusion in nat
Yes I know this looks evil, but I have some more Firewalls in $src-net :-)
Here is the interesting part of pf.conf:
scrub all reassemble tcp
no nat on $ext_if inet \
from $srcnet to $src_ext
nat on $ext_if inet \
from $srcnet to any -> $ext_ad
block in log all
block in from $src_ext
pass in quick on $int_if inet proto tcp from $srcnet to $src_ext \
flags S/SA modulate state
pass in quick on $int_if inet proto icmp \
from $srcnet to $src_ext keep state
pass out quick on $ext_if inet proto icmp \
from $srcnet to $src_ext keep state
pass in quick on $int_if inet proto udp \
from $srcnet to $src_ext keep state
pass in quick on $int_if inet proto tcp \
from $srcnet to ! $src_ext flags S/SA
pass in quick on $int_if inet proto {udp, icmp} \
from $srcnet to ! $src_ext
pass out quick on $ext_if inet proto tcp from $ext_ad \
to any flags S/SA keep state
pass out quick on $ext_if inet proto {udp, icmp} \
from $ext_ad to any keep state
There are some more rules but they are only for communication between
$srcnet and the gateway.
I think I can handle the problem with a scrub rule but all I have tried
didn't work. (no-df, limit frags).
any ideas
thanks
guido
