OpenBSD pf 'match in all scrub (no-df)' causes HTTPS to be unreachable on mobile network
- by Frank ter V.
First of all: excuse me for my poor usage of the English language.
For several years I'm experiencing problems with the 'match in all scrub (no-df)' rule in pf. I can't find out what's happening here.
I'll try to be clear and simple. The pf.conf has been extremely shortened for this forum posting.
Here is my pf.conf:
set skip on lo0
match in all scrub (no-df)
block all
block in quick from urpf-failed
pass in on em0 proto tcp from any to 213.125.xxx.xxx port 80 synproxy state
pass in on em0 proto tcp from any to 213.125.xxx.xxx port 443 synproxy state
pass out on em0 from 213.125.xxx.xxx to any modulate state
HTTP and HTTPS are working fine. Until the moment a customer in France (Wanadoo DSL) couldn't view HTTPS pages! I blamed his provider and did no investigation on that problem.
But then... I bought an Android Samsung Galaxy SII (Vodafone) to monitor my servers. Hours after I walked out of the telephone store: no HTTPS-connections on my server! I thought my servers were down, drove back to the office very fast. But they were up.
I discovered that disabling the rule
match in all scrub (no-df)
solves the problem. Android phone (Vodafone NL) and Wanadoo DSL FR are now OK on HTTPS.
But now I don't have any scrubbing anymore. This is not what I want.
Does anyone here understand what is going on? I don't. Enabling scrubbing causes HTTPS webpages not to be loaded on SOME ISP's, but not all.
In systat, I strangely DO see a state created and packets received from those ISP's...
Still confused. I'm using OpenBSD 5.1/amd64 and OpenBSD 5.0/i386. I have two ISP's at my office (one DSL and one cable). Affects both.
This can be reproduced quite easily. I hope someone has experience with this problem.
Greetings,
Frank