From owner-freebsd-pf@FreeBSD.ORG  Mon Aug 19 09:13:19 2013
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTP id 5AAF39B0
 for <freebsd-pf@freebsd.org>; Mon, 19 Aug 2013 09:13:19 +0000 (UTC)
 (envelope-from axex007@yandex.ru)
Received: from forward17.mail.yandex.net (forward17.mail.yandex.net
 [IPv6:2a02:6b8:0:1402::2])
 by mx1.freebsd.org (Postfix) with ESMTP id DFBCA2D65
 for <freebsd-pf@freebsd.org>; Mon, 19 Aug 2013 09:13:18 +0000 (UTC)
Received: from smtp16.mail.yandex.net (smtp16.mail.yandex.net [95.108.252.16])
 by forward17.mail.yandex.net (Yandex) with ESMTP id B55571060679;
 Mon, 19 Aug 2013 13:13:12 +0400 (MSK)
Received: from smtp16.mail.yandex.net (localhost [127.0.0.1])
 by smtp16.mail.yandex.net (Yandex) with ESMTP id 5AC2A6A082D;
 Mon, 19 Aug 2013 13:13:12 +0400 (MSK)
Received: from cl103-65-137-95.cl.metrocom.ru (cl103-65-137-95.cl.metrocom.ru
 [95.137.65.103])
 by smtp16.mail.yandex.net (nwsmtp/Yandex) with ESMTP id x679kmrYuU-DBgeFBDl;
 Mon, 19 Aug 2013 13:13:11 +0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail;
 t=1376903591; bh=YmN+iMQ1tIGB79GW7L0ucu8nOJc6BHMHVkQRnTtCgyw=;
 h=Message-ID:Date:From:User-Agent:MIME-Version:To:CC:Subject:
 References:In-Reply-To:Content-Type:Content-Transfer-Encoding;
 b=Q6lib8Wz9B3qv64DLR7MdXzI7q6tr0smeLYBykvS3FmOVgGKy380nB/RauRwIe5xo
 7za+hN3JRz/T1Q5OglvpE4ljPY/L6WGzfQqV/i8milzlubXdBmRUG3JZBVTw8MD/lW
 GMRfkgW2gf6sSn8yBYkYW3YIWCfdm/S0djQm7O/A=
Authentication-Results: smtp16.mail.yandex.net; dkim=pass header.i=@yandex.ru
Message-ID: <5211E1A7.7070804@yandex.ru>
Date: Mon, 19 Aug 2013 13:13:11 +0400
From: Alexander <axex007@yandex.ru>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64;
 rv:17.0) Gecko/20130620 Thunderbird/17.0.7
MIME-Version: 1.0
To: Daniel Hartmeier <daniel@benzedrine.cx>
Subject: Re: Windows 7 + freebsd-pf + windows scale SYN-ACK problem
References: <520E1822.7010505@yandex.ru>
 <20130816125058.GA28156@insomnia.benzedrine.cx> <520E35B3.4080607@yandex.ru>
 <20130816171227.GB28156@insomnia.benzedrine.cx>
In-Reply-To: <20130816171227.GB28156@insomnia.benzedrine.cx>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: freebsd-pf@freebsd.org
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Aug 2013 09:13:19 -0000

On 16.08.2013 21:12, Daniel Hartmeier wrote:
> On Fri, Aug 16, 2013 at 06:22:43PM +0400, Alexander wrote:
>
>> My connection with server (port 6666) starts to work and i think i
>> can be satisfied by this solution. But i still cannot understand why
>> packets are dropped without no state rules. As i revealed they are
>> dropped between bridge0 and vlan 1 interfaces.
> This is probably because you filter on bridge0.
>
> There are some sysctl's related to this, run sysctl -a | grep bridge
> I think in some combinations, pf sees packets on the bridge interface
> with the wrong direction.
>
> Do you have a particular reason for filtering on the bridge interface,
> and not just on the physical interfaces?
>
> Daniel
Ok! I tried to remove rxcsum and txcsum on lo0 - didn't help.
> Do you have a particular reason for filtering on the bridge interface,
> and not just on the physical interfaces?
i have 'pass on bridge0 all flags S/SA keep state rule on bridge' , all 
other filters are on physical interfaces.

Here's my full ruleset:
root@gate:~ # pfctl -s rules
pass in quick on vlan1 route-to lo0 inet proto tcp from <My_net> to 
127.0.0.1 port = 3128 flags S/SA keep state
block drop in quick inet proto icmp from any to 255.255.255.255
block drop in quick inet from 127.0.0.0/8 to any
block drop in quick on vlan1 inet from ! <My_net> to any
block drop in log quick on bge0 inet from <My_net> to any
block drop in log quick on bge0 inet from <nat> to any
block drop in log quick on bge0 inet from <block_nets> to any
block drop all
pass in on bge0 inet proto tcp from <branches> to 172.29.27.199 port = 
microsoft-ds flags S/SA keep state
pass in on bge0 inet proto tcp from <branches> to 172.29.27.199 port = 
netbios-ssn flags S/SA keep state
pass in on bge0 inet proto tcp from <branches> to 172.29.27.211 port = 
microsoft-ds flags S/SA keep state
pass in on bge0 inet proto tcp from <branches> to 172.29.27.211 port = 
netbios-ssn flags S/SA keep state
pass in on bge0 inet proto tcp from <branches> to 172.29.27.197 flags 
S/SA keep state
pass in on bge0 inet proto tcp from <branches> to 172.29.27.196 flags 
S/SA keep state
pass in on bge0 inet proto tcp from <branches> to 172.29.27.198 flags 
S/SA keep state
pass in on bge0 inet proto tcp from <ISP_NET> to 172.29.27.195 port = 
microsoft-ds flags S/SA keep state
pass in on bge0 inet proto tcp from <ISP_NET> to 172.29.27.195 port = 
netbios-ssn flags S/SA keep state
pass in on bge0 inet proto tcp from <ISP_NET> to 172.29.27.195 port = 
http flags S/SA keep state
pass in on bge0 inet proto tcp from <ISP_NET> to 172.29.27.195 port = 
z39.50 flags S/SA keep state
pass in on bge0 inet proto tcp from <ISP_NET> to 172.29.27.196 port = 
http flags S/SA keep state
pass in on bge0 inet proto tcp from <ISP_NET> to 172.29.27.196 port = 
6666 flags S/SA keep state
pass in on bge0 inet proto udp from <branches> to 172.29.27.197 keep state
pass in on bge0 inet proto udp from <branches> to 172.29.27.196 keep state
pass in on bge0 inet proto udp from <branches> to 172.29.27.198 keep state
pass in on bge0 inet proto icmp from <branches> to 172.29.27.197 keep state
pass in on bge0 inet proto icmp from <branches> to 172.29.27.196 keep state
pass in on bge0 inet proto icmp from <branches> to 172.29.27.198 keep state
pass in on vlan1 inet from <nat> to 8.8.8.8 flags S/SA keep state
pass in on vlan1 inet from <nat> to 172.16.172.16 flags S/SA keep state
pass in on vlan1 inet from <nat> to 192.168.192.168 flags S/SA keep state
pass in on vlan1 inet proto udp from <My_net> to 172.29.27.194 port = 
ntp keep state
pass in on vlan1 inet proto tcp from 172.29.27.200 to 172.29.27.194 port 
= 10050 flags S/SA keep state
pass in on vlan1 from <dmz> to ! <ISP_NET> flags S/SA keep state
pass in on vlan1 from <nat> to ! <ISP_NET> flags S/SA keep state
pass in on vlan1 from <My_net> to any flags S/SA keep state
pass on bridge0 all flags S/SA keep state

There's no scrub rules.

My sysctl -s | grep bridge:

net.link.bridge.ipfw: 0
net.link.bridge.allow_llz_overlap: 0
net.link.bridge.inherit_mac: 0
net.link.bridge.log_stp: 0
net.link.bridge.pfil_local_phys: 0
net.link.bridge.pfil_member: 1
net.link.bridge.pfil_bridge: 1
net.link.bridge.ipfw_arp: 0
net.link.bridge.pfil_onlyip: 1
dev.pcib.0.%desc: ACPI Host-PCI bridge
dev.pcib.1.%desc: ACPI PCI-PCI bridge
dev.pcib.2.%desc: ACPI PCI-PCI bridge
dev.pcib.3.%desc: ACPI PCI-PCI bridge
dev.pcib.4.%desc: ACPI PCI-PCI bridge
dev.pcib.5.%desc: ACPI PCI-PCI bridge
dev.pcib.6.%desc: ACPI PCI-PCI bridge
dev.hostb.0.%desc: Host to PCI bridge
dev.isab.0.%desc: PCI-ISA bridge


As i mentioned earlier, disabling wscale support on windows 7 makes 
connection between MY_LAN and server in <ISP_NET> on port 6666 work.

From owner-freebsd-pf@FreeBSD.ORG  Mon Aug 19 11:06:48 2013
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTP id A1969DA1
 for <freebsd-pf@FreeBSD.org>; Mon, 19 Aug 2013 11:06:48 +0000 (UTC)
 (envelope-from owner-bugmaster@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
 [IPv6:2001:1900:2254:206c::16:87])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id 8E51E251F
 for <freebsd-pf@FreeBSD.org>; Mon, 19 Aug 2013 11:06:48 +0000 (UTC)
Received: from freefall.freebsd.org (localhost [127.0.0.1])
 by freefall.freebsd.org (8.14.7/8.14.7) with ESMTP id r7JB6mZ8006110
 for <freebsd-pf@FreeBSD.org>; Mon, 19 Aug 2013 11:06:48 GMT
 (envelope-from owner-bugmaster@FreeBSD.org)
Received: (from gnats@localhost)
 by freefall.freebsd.org (8.14.7/8.14.7/Submit) id r7JB6mVO006108
 for freebsd-pf@FreeBSD.org; Mon, 19 Aug 2013 11:06:48 GMT
 (envelope-from owner-bugmaster@FreeBSD.org)
Date: Mon, 19 Aug 2013 11:06:48 GMT
Message-Id: <201308191106.r7JB6mVO006108@freefall.freebsd.org>
X-Authentication-Warning: freefall.freebsd.org: gnats set sender to
 owner-bugmaster@FreeBSD.org using -f
From: FreeBSD bugmaster <bugmaster@freebsd.org>
To: freebsd-pf@FreeBSD.org
Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Aug 2013 11:06:48 -0000

Note: to view an individual PR, use:
  http://www.freebsd.org/cgi/query-pr.cgi?pr=(number).

The following is a listing of current problems submitted by FreeBSD users.
These represent problem reports covering all versions including
experimental development code and obsolete releases.


S Tracker      Resp.      Description
--------------------------------------------------------------------------------
o kern/179392  pf         [pf] [ip6] Incorrect TCP checksums in rdr return packe
o kern/177810  pf         [pf] traffic dropped by accepting rules is not counted
o kern/177808  pf         [pf] [patch] route-to rule forwarding traffic inspite 
o kern/176763  pf         [pf] [patch] Removing pf Source entries locks kernel.
o kern/176268  pf         [pf] [patch] synproxy not working with route-to
o kern/173659  pf         [pf] PF fatal trap on 9.1 (taskq fatal trap on pf_test
o bin/172888   pf         [patch] authpf(8) feature enhancement
o kern/172648  pf         [pf] [ip6]: 'scrub reassemble tcp' breaks IPv6 packet 
o kern/171733  pf         [pf] PF problem with modulate state in [regression]
o kern/169630  pf         [pf] [patch] pf fragment reassembly of padded (undersi
o kern/168952  pf         [pf] direction scrub rules don't work
o kern/168190  pf         [pf] panic when using pf and route-to (maybe: bad frag
o kern/166336  pf         [pf] kern.securelevel 3 +pf reload
o kern/165315  pf         [pf] States never cleared in PF with DEVICE_POLLING
o kern/164402  pf         [pf] pf crashes with a particular set of rules when fi
o kern/164271  pf         [pf] not working pf nat on FreeBSD 9.0 [regression]
o kern/163208  pf         [pf] PF state key linking mismatch
o kern/160370  pf         [pf] Incorrect pfctl check of pf.conf
o kern/155736  pf         [pf] [altq] borrow from parent queue does not work wit
o kern/153307  pf         [pf] Bug with PF firewall
o kern/148290  pf         [pf] "sticky-address" option of Packet Filter (PF) blo
o kern/148260  pf         [pf] [patch] pf rdr incompatible with dummynet
o kern/147789  pf         [pf] Firewall PF no longer drops connections by sendin
o kern/143543  pf         [pf] [panic] PF route-to causes kernel panic
o bin/143504   pf         [patch] outgoing states are not killed by authpf(8)
o conf/142961  pf         [pf] No way to adjust pidfile in pflogd
o conf/142817  pf         [patch] etc/rc.d/pf: silence pfctl
o kern/141905  pf         [pf] [panic] pf kernel panic on 7.2-RELEASE with empty
o kern/140697  pf         [pf] pf behaviour changes - must be documented
o kern/137982  pf         [pf] when pf can hit state limits, random IP failures 
o kern/136781  pf         [pf] Packets appear to drop with pf scrub and if_bridg
o kern/135948  pf         [pf] [gre] pf not natting gre protocol
o kern/134996  pf         [pf] Anchor tables not included when pfctl(8) is run w
o kern/133732  pf         [pf] max-src-conn issue
o conf/130381  pf         [rc.d] [pf] [ip6] ipv6 not fully configured when pf st
o kern/127920  pf         [pf] ipv6 and synproxy don't play well together
o conf/127814  pf         [pf] The flush in pf_reload in /etc/rc.d/pf does not w
o kern/127121  pf         [pf] [patch] pf incorrect log priority
o kern/127042  pf         [pf] [patch] pf recursion panic if interface group is 
o kern/125467  pf         [pf] pf keep state bug while handling sessions between
s kern/124933  pf         [pf] [ip6] pf does not support (drops) IPv6 fragmented
o kern/122773  pf         [pf] pf doesn't log uid or pid when configured to
o kern/122014  pf         [pf] [panic] FreeBSD 6.2 panic in pf
o kern/120281  pf         [pf] [request] lost returning packets to PF for a rdr 
o kern/120057  pf         [pf] [patch] Allow proper settings of ALTQ_HFSC. The c
o bin/118355   pf         [pf] [patch] pfctl(8) help message options order false
o kern/114567  pf         [pf] [lor] pf_ioctl.c + if.c
o kern/103283  pf         pfsync fails to sucessfully transfer some sessions
o kern/93825   pf         [pf] pf reply-to doesn't work
o sparc/93530  pf         [pf] Incorrect checksums when using pf's route-to on s
o kern/92949   pf         [pf] PF + ALTQ problems with latency
o kern/87074   pf         [pf] pf does not log dropped packets when max-* statef
a kern/86752   pf         [pf] pf does not use default timeouts when reloading c
o bin/86635    pf         [patch] pfctl(8): allow new page character (^L) in pf.
o kern/82271   pf         [pf] cbq scheduler cause bad latency

55 problems total.


From owner-freebsd-pf@FreeBSD.ORG  Tue Aug 20 17:05:07 2013
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTP id C47B22B2
 for <freebsd-pf@freebsd.org>; Tue, 20 Aug 2013 17:05:07 +0000 (UTC)
 (envelope-from list_freebsd@bluerosetech.com)
Received: from rush.bluerosetech.com (rush.bluerosetech.com
 [IPv6:2607:fc50:1000:9b00::25])
 (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id 9B1292DB2
 for <freebsd-pf@freebsd.org>; Tue, 20 Aug 2013 17:05:07 +0000 (UTC)
Received: from chombo.houseloki.net (c-76-27-220-79.hsd1.wa.comcast.net
 [76.27.220.79])
 by rush.bluerosetech.com (Postfix) with ESMTPSA id B412611434;
 Tue, 20 Aug 2013 10:05:05 -0700 (PDT)
Received: from [192.168.1.102] (static-71-242-248-73.phlapa.east.verizon.net
 [71.242.248.73])
 by chombo.houseloki.net (Postfix) with ESMTPSA id 7D07C8E8;
 Tue, 20 Aug 2013 10:04:03 -0700 (PDT)
Message-ID: <5213A17D.7030104@bluerosetech.com>
Date: Tue, 20 Aug 2013 13:03:57 -0400
From: Darren Pilgrim <list_freebsd@bluerosetech.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1;
 rv:17.0) Gecko/20130801 Thunderbird/17.0.8
MIME-Version: 1.0
To: Alexander <axex007@yandex.ru>
Subject: Re: Windows 7 + freebsd-pf + windows scale SYN-ACK problem
References: <520E1822.7010505@yandex.ru>
 <20130816125058.GA28156@insomnia.benzedrine.cx> <520E35B3.4080607@yandex.ru>
 <20130816171227.GB28156@insomnia.benzedrine.cx> <5211E1A7.7070804@yandex.ru>
In-Reply-To: <5211E1A7.7070804@yandex.ru>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: freebsd-pf@freebsd.org
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Aug 2013 17:05:07 -0000

On 8/19/2013 5:13 AM, Alexander wrote:
> i have 'pass on bridge0 all flags S/SA keep state rule on bridge'

That still filters on the bridge interface.  Worse, it doesn't allow 
everything.  You need to set skip on bridge0 to completely disable pf on 
that interface.