I am replacing a ITAPBLES base firewall and Centos based router with a replacement system running PF on FreeBSd-13. I have numerous issues to deal with and the current one has to do with Firefox and Squirrelmail(SM).
Users can reach SM and compose, send, and receive email. They can attached small files. However, anything larger than ~16k causes the following Firefox error:
If I stop the PF firewall then the problem goes away. So, the firewall must be the problem. But what is causing this?
Also, this only occurs on workstations that use a private IP4 address, all of which are in the 192.168.0.0/16 netblock. Workstations that have a routable public IPv4 address do not experience this problem. Files up to the maximum size configured in php.ini attach fine.
The new GW router has multiple NIC ports. One of these is the WAN (em5). One is the public address LAN (em4). The third is 192.168.0.1/16 LAN (em3)
The internal private interface is NATed.
This works but should be irrelevant as the traffic to SM comes in on em3 and goes out on em4.
Traffic to SM is not filtered per se:
but normalization is performed:
Users can reach SM and compose, send, and receive email. They can attached small files. However, anything larger than ~16k causes the following Firefox error:
Code:
Secure Connection Failed
An error occurred during a connection to webmail.harte-lyne.ca.
PR_CONNECT_RESET_ERROR
The page you are trying to view cannot be shown because the authenticity of
the received data could not be verified.
Please contact the web site owners to inform them of this problem.If I stop the PF firewall then the problem goes away. So, the firewall must be the problem. But what is causing this?
Also, this only occurs on workstations that use a private IP4 address, all of which are in the 192.168.0.0/16 netblock. Workstations that have a routable public IPv4 address do not experience this problem. Files up to the maximum size configured in php.ini attach fine.
The new GW router has multiple NIC ports. One of these is the WAN (em5). One is the public address LAN (em4). The third is 192.168.0.1/16 LAN (em3)
The internal private interface is NATed.
Code:
nat on $if_ext\
from $ip_private\
to any -> $ip_natThis works but should be irrelevant as the traffic to SM comes in on em3 and goes out on em4.
Traffic to SM is not filtered per se:
Code:
## Allow access to WebMail servers
pass quick \
proto { tcp, udp} \
from any \
to $ip_webmail port $port_httpbut normalization is performed:
Code:
### clean up incoming packets and reassemble fragments
scrub in all fragment reassemble no-df max-mss 1440