Hi, I'm wracking my brains here. I have just replaced <old commercial firewall> with one based on OpenBSD 6.3 PF. Nothing else has changed on the network, just the firewall.
Lots of "stuff" that used to work (e.g. various nightly pushes of data to "the cloud") have suddenly stopped working after the new firewall was put in place. It seems to be down to some sort of weird handling of SSL by PF ? I can't see why it should be OpenBSD, and yet I also can't see why it cannot be OpenBSD, given nothing else has changed. The reason I say this is because of what I see if I take troubleshooting down to its most basic level : This: wget -O bp_linux.tar.gz https://github.com/Azure/blobporter/releases/download/v0.6.15/bp_linux.tar.gz Fails with: OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol Unable to establish SSL connection. And yet this (ironically !) : wget https://cdn.openbsd.org/pub/OpenBSD/6.3/amd64/install63.iso Works fine. Similarly, this : openssl s_client -connect github-production-release-asset-2e65be.s3.amazonaws.com:443 -servername github-production-release-asset-2e65be.s3.amazonaws. com Returns: no peer certificate available No client certificate CA names sent And yet this : openssl s_client -connect google.com:443 -servername google.com Shows SSL certs OK ! My PF is simple as follows (there is no NAT here, its fully routable) : match in all scrub (no-df random-id) block drop set block-policy drop set syncookies always pass from <my_admin_net> to any flags S/SA modulate state (pflow) DNS and everything else is working fine.
