Date: Mon, 19 Aug 2013 13:13:11 +0400 From: Alexander <axex007@yandex.ru> To: Daniel Hartmeier <daniel@benzedrine.cx> Cc: freebsd-pf@freebsd.org Subject: Re: Windows 7 + freebsd-pf + windows scale SYN-ACK problem Message-ID: <5211E1A7.7070804@yandex.ru> In-Reply-To: <20130816171227.GB28156@insomnia.benzedrine.cx> References: <520E1822.7010505@yandex.ru> <20130816125058.GA28156@insomnia.benzedrine.cx> <520E35B3.4080607@yandex.ru> <20130816171227.GB28156@insomnia.benzedrine.cx>
next in thread | previous in thread | raw e-mail | index | archive | help
On 16.08.2013 21:12, Daniel Hartmeier wrote: > On Fri, Aug 16, 2013 at 06:22:43PM +0400, Alexander wrote: > >> My connection with server (port 6666) starts to work and i think i >> can be satisfied by this solution. But i still cannot understand why >> packets are dropped without no state rules. As i revealed they are >> dropped between bridge0 and vlan 1 interfaces. > This is probably because you filter on bridge0. > > There are some sysctl's related to this, run sysctl -a | grep bridge > I think in some combinations, pf sees packets on the bridge interface > with the wrong direction. > > Do you have a particular reason for filtering on the bridge interface, > and not just on the physical interfaces? > > Daniel Ok! I tried to remove rxcsum and txcsum on lo0 - didn't help. > Do you have a particular reason for filtering on the bridge interface, > and not just on the physical interfaces? i have 'pass on bridge0 all flags S/SA keep state rule on bridge' , all other filters are on physical interfaces. Here's my full ruleset: root@gate:~ # pfctl -s rules pass in quick on vlan1 route-to lo0 inet proto tcp from <My_net> to 127.0.0.1 port = 3128 flags S/SA keep state block drop in quick inet proto icmp from any to 255.255.255.255 block drop in quick inet from 127.0.0.0/8 to any block drop in quick on vlan1 inet from ! <My_net> to any block drop in log quick on bge0 inet from <My_net> to any block drop in log quick on bge0 inet from <nat> to any block drop in log quick on bge0 inet from <block_nets> to any block drop all pass in on bge0 inet proto tcp from <branches> to 172.29.27.199 port = microsoft-ds flags S/SA keep state pass in on bge0 inet proto tcp from <branches> to 172.29.27.199 port = netbios-ssn flags S/SA keep state pass in on bge0 inet proto tcp from <branches> to 172.29.27.211 port = microsoft-ds flags S/SA keep state pass in on bge0 inet proto tcp from <branches> to 172.29.27.211 port = netbios-ssn flags S/SA keep state pass in on bge0 inet proto tcp from <branches> to 172.29.27.197 flags S/SA keep state pass in on bge0 inet proto tcp from <branches> to 172.29.27.196 flags S/SA keep state pass in on bge0 inet proto tcp from <branches> to 172.29.27.198 flags S/SA keep state pass in on bge0 inet proto tcp from <ISP_NET> to 172.29.27.195 port = microsoft-ds flags S/SA keep state pass in on bge0 inet proto tcp from <ISP_NET> to 172.29.27.195 port = netbios-ssn flags S/SA keep state pass in on bge0 inet proto tcp from <ISP_NET> to 172.29.27.195 port = http flags S/SA keep state pass in on bge0 inet proto tcp from <ISP_NET> to 172.29.27.195 port = z39.50 flags S/SA keep state pass in on bge0 inet proto tcp from <ISP_NET> to 172.29.27.196 port = http flags S/SA keep state pass in on bge0 inet proto tcp from <ISP_NET> to 172.29.27.196 port = 6666 flags S/SA keep state pass in on bge0 inet proto udp from <branches> to 172.29.27.197 keep state pass in on bge0 inet proto udp from <branches> to 172.29.27.196 keep state pass in on bge0 inet proto udp from <branches> to 172.29.27.198 keep state pass in on bge0 inet proto icmp from <branches> to 172.29.27.197 keep state pass in on bge0 inet proto icmp from <branches> to 172.29.27.196 keep state pass in on bge0 inet proto icmp from <branches> to 172.29.27.198 keep state pass in on vlan1 inet from <nat> to 8.8.8.8 flags S/SA keep state pass in on vlan1 inet from <nat> to 172.16.172.16 flags S/SA keep state pass in on vlan1 inet from <nat> to 192.168.192.168 flags S/SA keep state pass in on vlan1 inet proto udp from <My_net> to 172.29.27.194 port = ntp keep state pass in on vlan1 inet proto tcp from 172.29.27.200 to 172.29.27.194 port = 10050 flags S/SA keep state pass in on vlan1 from <dmz> to ! <ISP_NET> flags S/SA keep state pass in on vlan1 from <nat> to ! <ISP_NET> flags S/SA keep state pass in on vlan1 from <My_net> to any flags S/SA keep state pass on bridge0 all flags S/SA keep state There's no scrub rules. My sysctl -s | grep bridge: net.link.bridge.ipfw: 0 net.link.bridge.allow_llz_overlap: 0 net.link.bridge.inherit_mac: 0 net.link.bridge.log_stp: 0 net.link.bridge.pfil_local_phys: 0 net.link.bridge.pfil_member: 1 net.link.bridge.pfil_bridge: 1 net.link.bridge.ipfw_arp: 0 net.link.bridge.pfil_onlyip: 1 dev.pcib.0.%desc: ACPI Host-PCI bridge dev.pcib.1.%desc: ACPI PCI-PCI bridge dev.pcib.2.%desc: ACPI PCI-PCI bridge dev.pcib.3.%desc: ACPI PCI-PCI bridge dev.pcib.4.%desc: ACPI PCI-PCI bridge dev.pcib.5.%desc: ACPI PCI-PCI bridge dev.pcib.6.%desc: ACPI PCI-PCI bridge dev.hostb.0.%desc: Host to PCI bridge dev.isab.0.%desc: PCI-ISA bridge As i mentioned earlier, disabling wscale support on windows 7 makes connection between MY_LAN and server in <ISP_NET> on port 6666 work.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5211E1A7.7070804>