DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 25th November 2014
TronDD TronDD is offline
Spam Deminer
 
Join Date: Sep 2014
Posts: 304
Default Mac OSX Software Update behind pf

Recently switched to a firewall running 5.6 -stable and pf. Nothing fancy, but relatively restrictive, outbound packets are blocked by default.

The only thing I can't get working is OSX's Software Update / App Store. I have found old references in forums and mailing lists that scrub's reassemble tcp is a problem and disabling it will make software update work again. This hasn't been the case for me. I imagine things have changed quite a bit in the last 4 or 5 years since that tip.

Has anyone had recent experience with this situation?

I tried disabling scrub, set reassemble no, allowing all outbound traffic from the mac. I can watch the traffic on the mac and on the router and I see packets going back and forth, but nothing ever comes up in Software Update.
Reply With Quote
  #2   (View Single Post)  
Old 25th November 2014
Oko's Avatar
Oko Oko is offline
Rc.conf Instructor
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 1,102
Default

Quote:
Originally Posted by TronDD View Post
Recently switched to a firewall running 5.6 -stable and pf. Nothing fancy, but relatively restrictive, outbound packets are blocked by default.

The only thing I can't get working is OSX's Software Update / App Store. I have found old references in forums and mailing lists that scrub's reassemble tcp is a problem and disabling it will make software update work again. This hasn't been the case for me. I imagine things have changed quite a bit in the last 4 or 5 years since that tip.
Not problem for me and I do have

Code:
match in all scrub (no-df max-mss 1440)
match out all scrub (no-df max-mss 1440)
match out on egress inet from !(egress:network) to any nat-to (egress:0)
Quote:
Originally Posted by TronDD View Post
Has anyone had recent experience with this situation?
I have pretty tight PF rules. Essentially I block everything and pass out keep state only for the following services.
Obviously upd is stateless so keep state is not necessary.

Code:
tcp_services = "{ssh, submission, imaps, http, https}"
udp_services= "{domain, ntp, rtsp, 1194}"
Never had any problems updating my kids' OS X.
Reply With Quote
  #3   (View Single Post)  
Old 25th November 2014
TronDD TronDD is offline
Spam Deminer
 
Join Date: Sep 2014
Posts: 304
Default

Ok. So you're not using reassemble tcp.

I'm stumped then. I don't know why this doesn't work for me. Maybe the Mac needs a reboot... Maybe I've confused it will all the firewall changes.

I'm running Mavericks currently. Is your kid's Mac a recent OSX?

Tim.
Reply With Quote
  #4   (View Single Post)  
Old 25th November 2014
Oko's Avatar
Oko Oko is offline
Rc.conf Instructor
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 1,102
Default

Quote:
Originally Posted by TronDD View Post
Ok. So you're not using reassemble tcp.
No I checked one more time. I think I run in the past but then I removed and I can't recall what was reason but updating MAC had nothing to do with it. I was reading PF documentation and there was something I read which made me remove reassemble line.

Quote:
Originally Posted by TronDD View Post
I'm stumped then. I don't know why this doesn't work for me. Maybe the Mac needs a reboot... Maybe I've confused it will all the firewall changes.

I'm running Mavericks currently. Is your kid's Mac a recent OSX?

Tim.
My kids run Lion
Reply With Quote
  #5   (View Single Post)  
Old 26th November 2014
TronDD TronDD is offline
Spam Deminer
 
Join Date: Sep 2014
Posts: 304
Default

So...it needed a reboot. I thought I was done with that nonsense when I left Windows behind.

I still had to remove reassemble tcp, too, though.

Thanks.
Tim.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Report: Open source software quality is better than proprietary software J65nko News 6 28th February 2012 05:33 PM
Apache HTTP Server update fixes remote DoS issue - Update J65nko News 0 12th May 2011 07:21 PM
Fax software drhowarddrfine General software and network 31 25th December 2008 06:18 AM
CD Burning Software ninjatux FreeBSD Ports and Packages 7 17th July 2008 08:37 AM
bbs software mjt FreeBSD Ports and Packages 3 8th May 2008 03:02 PM


All times are GMT. The time now is 11:04 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick