Quantcast

Scrub reassemble tcp

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Scrub reassemble tcp

Evaldas Auryla
Hi all,

Is anyone using "reassemble tcp" with scrub ? Been using this for years
without problems, now all of a sudden having trouble with SMTP echange
with someone, here is the definition I use, on OpenBSD 5.4:

match in all scrub (no-df max-mss 1440 random-id reassemble tcp)

If I telnet port 25 to the other side, I can see sendmail's greeting,
but as soon as I go with "EHLO me.dot.com", no more response, it hangs,
and I see PF sending "icmp host unreachable" to the other side. And if I
remove "reassemble tcp" all goes fine.

I talked to the guys on the other side, their firewall is netasq, and
they don't see anything unusual.

Thanks,
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Scrub reassemble tcp

Henning Brauer-2
* Evaldas Auryla <[hidden email]> [2014-11-13 19:30]:
> Is anyone using "reassemble tcp" with scrub ? Been using this for years
> without problems,

you just didn't notice the problems or didn't hit them. Reassemble tcp
isn't 100%, unfortunately, and never was. No changes in ages either.

hitting it more often now isn't too surprising given the increasing use
of windows scaling etc.

--
Henning Brauer, [hidden email], [hidden email]
BS Web Services GmbH, AG Hamburg HRB 128289, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, VMs/PVS, Application Hosting
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Scrub reassemble tcp

Evaldas Auryla
On 2014-11-14 14:54, Henning Brauer wrote:
>> Is anyone using "reassemble tcp" with scrub ? Been using this for years
>> without problems,
> you just didn't notice the problems or didn't hit them. Reassemble tcp
> isn't 100%, unfortunately, and never was. No changes in ages either.
Well, nobody raised a hand, so let's say I didn't notice.
> hitting it more often now isn't too surprising given the increasing use
> of windows scaling etc.
>
I see, so would you recommend to not use it ? As a workaround I tried
declaring second "scrub" line targeting this specific system with "to
IP.." syntax, and pf accepted it, but then it seems to be ignored.

Thanks!
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Scrub reassemble tcp

Henning Brauer-2
the entire scrubbing idea is pretty much abandoned these days. it was
a hot topic in the early 2000s (for everybody, not "just" us).

no, don't use tcp reassemble.

* Evaldas Auryla <[hidden email]> [2014-11-21 18:20]:

> On 2014-11-14 14:54, Henning Brauer wrote:
> >>Is anyone using "reassemble tcp" with scrub ? Been using this for years
> >>without problems,
> >you just didn't notice the problems or didn't hit them. Reassemble tcp
> >isn't 100%, unfortunately, and never was. No changes in ages either.
> Well, nobody raised a hand, so let's say I didn't notice.
> >hitting it more often now isn't too surprising given the increasing use
> >of windows scaling etc.
> >
> I see, so would you recommend to not use it ? As a workaround I tried
> declaring second "scrub" line targeting this specific system with "to IP.."
> syntax, and pf accepted it, but then it seems to be ignored.
>
> Thanks!
>
Loading...