(perhaps I should create an own blog for that topic)
Last evening, I noticed that my DSL router still was running OpenBSD 3.3 (for some unknown reason, I always thought it had 3.4), when I was preparing for the upgrade to 3.5...
Ok, between 3.3 and 3.4 was the big i386 a.out to ELF binary format change, so I thought I'll just reinstall the whole thing with 3.4 and then do the final upgrade... Fine, backed up some config files to the data partition (which I didn't reformat), ran the installer from a disk, copied back a few of the config files , added my changes to rc.local, and then tried to use the DSL connection.
Everything was fine from the DSL router itself (shure, doesn't need NAT), and from another box on the local net. Just the iBook, wich has an extra nat rule with "static-port" flag to make iChat AV work, couldn't get any connection to outside machines. So, I thought, great, the special NAT rule doesn't work for some reason in OBSD 3.4, but why...? pfctl showed no errors when validating and installing the ruleset.
After about an hour of searching, tcpdumping, pfctl'ing, and swearing, I came to the following conclusions:
...and I had forgotten to enable IP forwarding via the appropriate sysctl and the pf rules didn't have anything to do with the problem
Last evening, I noticed that my DSL router still was running OpenBSD 3.3 (for some unknown reason, I always thought it had 3.4), when I was preparing for the upgrade to 3.5...
Ok, between 3.3 and 3.4 was the big i386 a.out to ELF binary format change, so I thought I'll just reinstall the whole thing with 3.4 and then do the final upgrade... Fine, backed up some config files to the data partition (which I didn't reformat), ran the installer from a disk, copied back a few of the config files , added my changes to rc.local, and then tried to use the DSL connection.
Everything was fine from the DSL router itself (shure, doesn't need NAT), and from another box on the local net. Just the iBook, wich has an extra nat rule with "static-port" flag to make iChat AV work, couldn't get any connection to outside machines. So, I thought, great, the special NAT rule doesn't work for some reason in OBSD 3.4, but why...? pfctl showed no errors when validating and installing the ruleset.
After about an hour of searching, tcpdumping, pfctl'ing, and swearing, I came to the following conclusions:
- the other machine, which could get connections to internet hosts, had the old router with the modem line as default gateway, and didn't go through the DSL link
- it seemed to be fast on web connections, because it used the web proxy on the DSL router for outgoing http requests
- even if I removed the special NAT rule for the iBook, I couldn't get out
- no state was created for any outgoing connection (in fact, tcpdump didn't show any outgoing packets, except those that originated from the local host)
...and I had forgotten to enable IP forwarding via the appropriate sysctl and the pf rules didn't have anything to do with the problem