Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

10.4: A fix for connectivity issues with Apple's servers Internet
Tiger only hintMy Mac and other computers all have RFC 1918 (private internets, i.e. 10.0.0.x, etc.) static IP addresses and sit behind an OpenBSD 3.7 box running the pf firewall. pf performs stateful packet-filtering and network address translation (NAT). The OpenBSD firewall gets a statically assigned public IP address from a DHCP pool on its external interface.

I had never had any problems using Software Update, until I installed Tiger on my G5. A day after installation, Software Update stopped working -- it would just hang and then time-out. I searched Apple's forums and noticed many other people experiencing a similar problem. Messages on the forums suggested that some people had luck when they switched their Macs to DHCP. The quickest way I could get a DHCP address for my Mac was to connect it directly to the Internet, outside of my OpenBSD firewall. When I did this, Software Update worked. But whenever the Mac was behind the OpenBSD firewall with a static IP address, Software Update didn't work. I assumed this was an OS bug, especially since Software Update used to work, nothing had changed in my firewall configuration, and tcpdump did show traffic between my Mac and when it tried to do a Software Update. 10.4.1 and 10.4.2 came out, and I still could not run Software Update (unless my Mac was connected directly to the Internet via DHCP).

To add to my troubles, I also had issues with connecting to the iTunes Music Store. I had no problems connecting in the past ... until iTunes 5 came out. The day I installed iTunes 5, any connections to the Music Store would hang and then time out. Again, I assumed this was some new, frustrating bug -- this time in iTunes.

Then I remembered some posts I had come across last year discussing an apparent RFC 1323 (TCP Extensions for High Performance) implementation problem specific to So I modified my OpenBSD pf.conf firewall ruleset, and changed my scrub rules to:
scrub on $ExtIF from any to random-id
scrub on $ExtIF from to any random-id
scrub on $ExtIF random-id reassemble tcp
After doing this, both Software Update and iTunes Music Store worked!

I mention this not because I think the macosxhints audience uses OpenBSD firewalls, but if anyone else is having similar connectivity issues with and, it's possible their firewalls are objecting to Apple's servers' inconsistent use of RFC1323 TCP timestamps. (Although I still also suspect there was a bug in 10.4.0 interfering with Software Update).
  • Currently 2.50 / 5
  You rated: 2 / 5 (4 votes cast)

10.4: A fix for connectivity issues with Apple's servers | 4 comments | Create New Account
Click here to return to the '10.4: A fix for connectivity issues with Apple's servers' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.4: A fix for connectivity issues with Apple's servers
Authored by: nosaj56 on Sep 24, '05 05:37:31AM

there is only one internet, mr. bush.

[ Reply to This | # ]
10.4: A fix for connectivity issues with Apple's servers
Authored by: frickster on Oct 02, '05 02:44:20PM

Yes, thanks to Mr. Gore...


[ Reply to This | # ]
10.4: A fix for connectivity issues with Apple's servers
Authored by: patsch on Sep 29, '05 04:55:07AM

Wow! thanks! we had the exact same setup (OpenBSD 3.7-current (GENERIC) #16: Sun Jul 31 22:16:35 MDT 2005) and problem here. although: on some mac's the update worked flawlessly without adding your lines, but some just didn't, they hung endlessly. i was rather confused.. to say the least... but now all can and do update happily... thanks a lot!

[ Reply to This | # ]
10.4: A fix for connectivity issues with Apple's servers
Authored by: bugmenot on May 16, '07 07:55:03PM
I also had this problem with my OpenBSD router about a year ago, and have used this hint's fix since then. I recently tried allowing my router to reassemble tcp again, and software update works now! Either Apple or OpenBSD must have fixed something.

This was a great hint and helped me for a long time, but is no longer necessary. My line in pf.conf is now:

scrub on $ext_if random-id reassemble tcp max-mss 1452
The random-id is for security, the max-mss is because i use PPPoE.

[ Reply to This | # ]