On 2018-09-18, Tim Jones <b631093f-779b-4d67-9ffe-5f6d5b1d3...@protonmail.ch>
wrote:
> Hi,
>
> I'm wracking my brains here. I have just replaced <old commercial firewall>
> with one based on OpenBSD 6.3 PF. Nothing else has changed on the network,
> just the firewall.
>
> Lots of "stuff" that used to work (e.g. various nightly pushes of data to
> "the cloud") have suddenly stopped working after the new firewall was put in
> place.
>
> It seems to be down to some sort of weird handling of SSL by PF ? I can't
> see why it should be OpenBSD, and yet I also can't see why it cannot be
> OpenBSD, given nothing else has changed.
>
> The reason I say this is because of what I see if I take troubleshooting down
> to its most basic level :
>
> This:
> wget -O bp_linux.tar.gz
> https://github.com/Azure/blobporter/releases/download/v0.6.15/bp_linux.tar.gz
> Fails with:
> OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
> Unable to establish SSL connection.
>
> And yet this (ironically !) :
> wget https://cdn.openbsd.org/pub/OpenBSD/6.3/amd64/install63.iso
> Works fine.
>
> Similarly, this :
> openssl s_client -connect
> github-production-release-asset-2e65be.s3.amazonaws.com:443 -servername
> github-production-release-asset-2e65be.s3.amazonaws.
> com
> Returns:
> no peer certificate available
> No client certificate CA names sent
>
> And yet this :
> openssl s_client -connect google.com:443 -servername google.com
> Shows SSL certs OK !
>
> My PF is simple as follows (there is no NAT here, its fully routable) :
> match in all scrub (no-df random-id)
> block drop
> set block-policy drop
> set syncookies always
> pass from <my_admin_net> to any flags S/SA modulate state (pflow)
>
> DNS and everything else is working fine.
>
>
This feels like it might be an MTU related problem, especially likely
if the connection is going via pppoe or a tunnel - you may need "scrub
(max-mss ##)".
The way Google's TLS server handshake is setup, it fits in pppoe without
fragmentation, most other sites do not this.
Otherwise try simplifying pf.conf (one change at a time and test):
disable syncookies and change "modulate state" to "keep state", maybe
also the random-id scrub. ("syncookies always" in PF doesn't make a
lot of sense to me except for testing, especially if only allowing
inside->outside traffic, I think "adaptive" would be more usual if
using this feature).
