Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Access .Mac web services from behind OpenBSD firewall Internet
We're using OpenBSD 3.7 as a firewall (running pf) and NAT gateway in front of a LAN with some Macs. Everything worked fine, even access to Apple's System Update servers (after applying this hint.) Everything, that is, except the web access to the .Mac services. For instance, would show up only halfway and then stall.

Only after commenting out all lines in /etc/pf.conf using the scrub directive could we then login to our .Mac accounts via the web interface, and still do system updates. So the short version of this hint would be: if you want to use the OpenBSD as a firewall in front of Macs, don't activate scrubbing in pf.conf at all -- make sure all lines starting with scrub are commented out. This, of course, is against what the pf FAQ recommends on the above-linked page:
...scrubbing all packets is highly recommended practice.
So maybe our security at the packet level has been diminished a little bit, but at least we can use Software Update on the Macs, and access sites.
  • Currently 3.60 / 5
  You rated: 3 / 5 (5 votes cast)

Access .Mac web services from behind OpenBSD firewall | 4 comments | Create New Account
Click here to return to the 'Access .Mac web services from behind OpenBSD firewall' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Access .Mac web services from behind OpenBSD firewall
Authored by: evansj on Mar 17, '06 07:28:09AM
I have an OpenBSD firewall at home, using bridge mode rather than NAT (all of my machines have "real" IP addresses). I have
scrub in all
in my pf.conf and everything seems to work fine.

[ Reply to This | # ]
Access .Mac web services from behind OpenBSD firewall
Authored by: skully dazed on Mar 17, '06 07:44:25AM

I've been using the .mac trial account for the last 45 days or so with no problems whatsoever. I've never had a problem accessing Software Update either.

I've been using OpenBSD on my firewall/nat boxes for years, longer than I've been using OSX. Currently my router at home is obsd 3.8, and at work it's obsd 3.7. Neither have any problem, using static addresses or dhcp. I've been using OSX since 10.1 and so far haven't had any problems running software update ever.

And before you think that I'm doing anything special, my ruleset boils down to scrub in, the nat rule, block in on $ext, pass in on sshd.

So before you claim the problem is with "scrub in" you should make sure it still happens on a fresh install of OSX. If you have a firewire drive (or ipod) install a copy of OSX there and see if that copy has problems. I'd be willing to bet it doesn't.

Also note that packet scrubbing is turned on when you activate NAT, as you can't do NAT without it.

[ Reply to This | # ]
use "no scrub"
Authored by: jcs on Mar 17, '06 08:17:27AM
if packet normalization is causing problems for certain hosts, just "no scrub" on those hosts, don't disable it altogether.

find the ip's of the .mac servers and exclude them before your scrub rules:

no scrub in from { x.x.x.x, x.x.x.y, ... }

your post said you're using openbsd 3.7, you may want to upgrade to 3.8 to fix a problem with "no scrub" rules, or purchase a 3.9 cd which is being released very soon.

[ Reply to This | # ]

re: use "no scrub"
Authored by: patsch on Apr 04, '06 02:26:41AM
following your advice I changed the lines concerning scrubbing in my to pf.conf to these:

# the list of "no scrub" hosts is a broad guess. i didn't narrow it down to the only "one" guilty.
no scrub in from {,,,,, }
# the following two lines are taken from the "inventor" of pf at
scrub in on $ext_if all fragment reassemble
scrub out on $ext_if all random-id fragment reassemble

and, yes, you are right: things work that way! thanks!

[ Reply to This | # ]