PF Can't completely disable pf?

Bucky

Member

Thanks: 8
Messages: 32

#1
Strange one here. I have one website where I cannot login to my account (https://business.comcast.com). The front page comes up, I click on the 'sign in' or 'My Account' links and after a while I get redirected to 'xfinity.oauth....', which ultimately fails to load.

I tried killing pf completely: pfctl -d, service pf stop, pfctl -F all. pfctl -sr then returns nothing so I'm presuming I have no firewall at all. Still, when I click the login link at the comcast.com site, I get redirected to the other site (which fails to load).

If I completely bypass the server on which pf usually runs (run the cat5 cable from my desktop to the modem direct), I can login just fine. I'm blaming this on pf even when it isn't supposedly running, just for existing on this box. Of course that is superstition talking. I don't seem to have a problem at any other websites I visit with pf running. I spent an hour with Tier 2 tech support and there is no question it is something about my freebsd server box.

Anyone seen anything like this? Have a solution?
 

SirDice

Administrator
Staff member
Administrator
Moderator

Thanks: 6,589
Messages: 28,098

#2
Still, when I click the login link at the comcast.com site, I get redirected to the other site (which fails to load).
PF works on layers 3 and 4. This happens at layer 7. This is not caused by PF.
If I completely bypass the server on which pf usually runs (run the cat5 cable from my desktop to the modem direct), I can login just fine.
Proxy perhaps? Some dodgy "privacy" VPN? Browser hijack (malware)? I can think of a number of reasons why this could happen and none of them involve PF.
 
OP
OP
B

Bucky

Member

Thanks: 8
Messages: 32

#3
Stranger and stranger. I rebooted the server, left pf.conf alone and presto - I can log in... for now.

I guess never mind this question (or mark it "solved") insofar as it is NOT a pf problem as you rightly stated.

Thanks!
 

SirDice

Administrator
Staff member
Administrator
Moderator

Thanks: 6,589
Messages: 28,098

#4
I'm pretty certain the issue is not PF, but that doesn't mean there's no issue. Login screens getting hijacked or redirected make the hairs on my neck stand on end, as that's some seriously dodgy behavior. Comcast is a favorite target for malware writers. So it's not unthinkable your modem or your browser got hijacked.
 
OP
OP
B

Bucky

Member

Thanks: 8
Messages: 32

#5
Not likely the modem got hijacked. Browser perhaps, but I've had that before and this is different. Makes my neck hairs stand up, too.

I'll add another layer of complication to the puzzle. I have a static, business class IPv4 address with Comcast Business. A couple of years ago I signed up with Hurricane Electric for a free IPv6 address so I could learn all about IPv6. (I've been told that the entire Residential side of Comcast is IPv6 now). Anyway I have the IPv6 tunneling set up and working for the last two years but pretty much only use it for doing NTP updates (alongside IPv4 NTP sites and I think unbound does some IPv6 lookups as well).

Anyway, last month when this login failure stuff happened, I used tcpdump to look at the packet stream and the redirection goes from the IPv4 Comcast Business site to the non-working IPv6 Xfinity Residential site. Weird, weird, weird.

Anyway, for now it worked so I could grab my billing statement and I'll have to look into this some more another time. Thank you!
 
Top