[ previous ] [ next ] [ threads ]
 
 From:  "Wayne Marshall" <wcm at guinix dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] accessing netbsd.org from behind m0n0wall
 Date:  8 Sep 2004 17:15:56 -0701
On Wed, 08 Sep 2004 11:35:28 +0200
Manuel Kasper <mk at neon1 dot net> wrote:

> 
> I can reproduce this with my m0n0wall at home (FreeBSD
> client/PPPoE/ADSL) too. The problem doesn't seem to be that MSS
> clamping is not working, but rather that NetBSD sends packets
> larger than [MSS + 40 bytes], which are then fragmented and the
> fragments blocked by ipfilter for some reason.
> 
> Turning off timestamps in the FreeBSD client (sysctl
> net.inet.tcp.rfc1323=0) makes it work.
> 
> This is probably related:
> <http://www.netbsd.org/cgi-bin/query-pr-single.pl?number=20461>
> 
> - Manuel

Thank you for all the digging that went into this reply, Manuel.
This fully explains all the observations reported here, and
provides a workaround for both FreeBSD and OpenBSD clients if
necessary.

The remaining puzzle (only to me, I suppose) is why a similar
firewall with user-ppp, pppoe, and OpenBSD+PF does not block on
the netbsd server.  The FAQ for ipfilter, section X, number 17
notes:

  ...ipfilter doesn't support RFC1323 window size extensions.

Is ipfilter somehow missing a capability that plays a role here?

FWIW, I built up an image with mpd/pppoe configured with:

  set iface tcpmssfix

This did not change anything with respect to browsing the
netbsd.org site, however.

Finally, its kindof funny that NetBSD has not fixed up its tcp
stack for this.  The bug reports do go back many years now...

Stay well,

Wayne

-- 
Wayne Marshall
wcm at guinix dot com