Site Navigation

Date:      Fri, 16 Aug 2013 15:24:26 -0400
From:      Jason Hellenthal <jhellenthal@dataix.net>
To:        Alexander <axex007@yandex.ru>
Cc:        "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org>
Subject:   Re: Windows 7 + freebsd-pf + windows scale SYN-ACK problem
Message-ID:  <D0F0B6F2-AF75-467B-93B8-AE2BE3A0A6EB@dataix.net>
In-Reply-To: <520E35B3.4080607@yandex.ru>
References:  <520E1822.7010505@yandex.ru> <20130816125058.GA28156@insomnia.benzedrine.cx> <520E35B3.4080607@yandex.ru>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

[-- Attachment #1 --]
Remove scrub on the interface. This is only an assumption that you have it in your rules file not appearing here ? But ice noticed a similar behavior before with windows 7.

Not sure if this might help either but turn off rxcsum and txcsum on lo0

-- 
 Jason Hellenthal
 Inbox: jhellenthal@DataIX.net
 Voice: +1 (616) 953-0176
 JJH48-ARIN


On Aug 16, 2013, at 10:22, Alexander <axex007@yandex.ru> wrote:

> On 16.08.2013 16:50, Daniel Hartmeier wrote:
>> On Fri, Aug 16, 2013 at 04:16:34PM +0400, Alexander wrote:
>> 
>>> Now my question is, is there any solution to stop PF block syn-ack
>>> packets that don't have wscale option in a connection where syn
>>> packet has it (in my case wscale proposed by windows 7 host is 8)
>> The missing wscale on the SYN-ACK is not the reason pf is blocking the
>> packet. This case is quite common: if the client supports (and offers)
>> window scaling, but the server doesn't support it. If pf would not work
>> in this case, more people would have noticed already ;)
>> 
>> So, what other reasons could there be for the reply to arrive on the
>> external interface but not get forwarded to the internal interface
>> (that's what you verified, right?)?
>> 
>> Check pfctl -si output before and after reproducting the problem,
>> are any counters increasing? If you simply disable pf for a test,
>> does it work?
>> 
>> Same with netstat -sp ip|tcp
>> 
>> HTH,
>> Daniel
> Big thanks to your feedback.
>> (that's what you verified, right?)?
> 
> Yes, I surely did. On $if_int my dump doesn't notice any [S.] packets from server and on client using wireshark i don't see them as well.
> tcpdump -i vlan1 host 172.29.67.67 and host 172.29.27.204
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on vlan1, link-type EN10MB (Ethernet), capture size 65535 bytes
> 18:21:00.553449 IP 172.29.27.204.55111 > 172.29.67.67.6666: Flags [S], seq 3377056805, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
> 18:21:03.559818 IP 172.29.27.204.55111 > 172.29.67.67.6666: Flags [S], seq 3377056805, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
> 18:21:04.868003 IP 172.29.27.204.55114 > 172.29.67.67.6666: Flags [S], seq 1159659251, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
> 18:21:05.003432 IP 172.29.27.204.55115 > 172.29.67.67.6666: Flags [S], seq 3718401262, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
> 18:21:05.144330 IP 172.29.27.204.55116 > 172.29.67.67.6666: Flags [S], seq 3444072516, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
> 
> Turning off PF woks.
> Some more info:
> Before test:
> root@gate:~ # pfctl -si
> Status: Enabled for 0 days 00:26:54           Debug: Urgent
> 
> State Table                          Total             Rate
>  current entries                      927
>  searches                       365228065       226287.5/s
>  inserts                          2898304         1795.7/s
>  removals                         2897377         1795.2/s
> Counters
>  match                            3310402         2051.1/s
> .............................................
>  ip-option                         108080           67.0/s
>  proto-cksum                            0            0.0/s
>  state-mismatch                      2648            1.6/s
>  state-insert                         214            0.1/s
>  ...............................................
> After test:
> root@gate:~ # pfctl -si
> Status: Enabled for 0 days 00:27:00           Debug: Urgent
> 
> State Table                          Total             Rate
>  current entries                      890
>  searches                       365299207       225493.3/s
>  inserts                          2898323         1789.1/s
>  removals                         2897433         1788.5/s
> Counters
>  match                            3310425         2043.5/s
> ...................................
>  ip-option                         108080           66.7/s
>  proto-cksum                            0            0.0/s
>  state-mismatch                      2650            1.6/s
>  state-insert                         214            0.1/s
> ..................................
> 
> As i understand we have 2 packets(syn-acks i suppose) dropped due to state-mismatch.
> My further investigation revealed if i put following rules: (where vlan1 = $if_int, bge0 = $if_ext, and bridge0 to pass not natted traffic)
> block drop all
> pass quick on vlan1 inet proto tcp from 172.29.67.67 port = 6666 to <My-net> no state
> pass quick on bge0 inet proto tcp from 172.29.67.67 port = 6666 to <My-net> no state
> pass quick on bridge0 inet proto tcp from 172.29.67.67 port = 6666 to any no state
> pass quick on bridge0 inet proto tcp from <My-net> to 172.29.67.67 port = 6666 no state
> pass quick on vlan1 inet proto tcp from <My-net> to 172.29.67.67 port = 6666 no state
> pass quick on bge0 inet proto tcp from <My-net> to 172.29.67.67 port = 6666 no state
> .....omitted...
> <here and till the and i have only pass rules>
> 
> My connection with server (port 6666) starts to work and i think i can be satisfied by this solution. But i still cannot understand why packets are dropped without no state rules. As i revealed they are dropped between bridge0 and vlan 1 interfaces.
> 
> (to be more specific - clients that experience this problem are not natted on gateway they are just filtered by pf)
> 
> PS: Do i need to add netstat -sp outputs?
> 
> _______________________________________________
> freebsd-pf@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"

[-- Attachment #2 --]
0�	*�H��

��0�

10	+0�	*�H��


��90�00��
��0
	*�H��


0��10	UIL10U

StartCom Ltd.1+0)U"Secure Digital Certificate Signing1806U/StartCom Class 1 Primary Intermediate Client CA0
130518085048Z
140519220947Z0H10Ujhellenthal@dataix.net1%0#	*�H��

	
jhellenthal@dataix.net0�
"0
	*�H��



�
0�

�

�'`T�mfkܨJ5�u+c�'�U�p�b����`��zv�)&ȸX�Z*V��N�6�Jv�LoV�o�h�}�g�
p�QDŽKf/�tZ�A�˳(���"4Ԅ��˻�'�d2h|��IB�l�'���^v�^��;'��e8�S��9�9���ۿVm|k8_UQ��t�C�"5�l��!kjZ]އQGn����\��B�Ž�h�!FT�sD�%���pV^�E��ӑ
d¨x͸"�9
г"����
����f�

���0��0	U00U�0U%0+
+
0U�ڔ�fm��V�ʢ�$䟓�0U#0�Sr풜���
\|~�5N�ԸQ�0!U0�jhellenthal@dataix.net0�
LU �
C0�
?0�
;+

��7
0�
*0.+

"http://www.startssl.com/policy.pdf0��+
0��0' StartCom Certification Authority0

��This certificate was issued according to the Class 1 Validation requirements of the StartCom CA policy, reliance only for the intended purpose in compliance of the relying party obligations.06U/0-0+�)�'�%http://crl.startssl.com/crtu1-crl.crl0��+


��009+
0
�-http://ocsp.startssl.com/sub/class1/client/ca0B+
0�6http://aia.startssl.com/certs/sub.class1.client.ca.crt0#U0�http://www.startssl.com/0
	*�H��


�

{0���Ӹ,52��W{��E�y�8�b�[���{��7��_�+��P�"��n�[���"-�,��@Žp��J��-W��$ݍ�jWA��-6���z��(	���RdIZ�.����Kz�X�є[�K6}{�s+v.�Q��h�0���P�ͅK��h�Tw0I�7�3l��z*�Kv��4Kkگ��6�3;�p1:ױ����@)����]o�k>:W�%Xw�C1þL�/�o8���~#�oP�0�40��

0
	*�H��


0}10	UIL10U

StartCom Ltd.1+0)U"Secure Digital Certificate Signing1)0'U StartCom Certification Authority0
071024210155Z
171024210155Z0��10	UIL10U

StartCom Ltd.1+0)U"Secure Digital Certificate Signing1806U/StartCom Class 1 Primary Intermediate Client CA0�
"0
	*�H��



�
0�

�

�	���-��)�.����2����A�UG��o��#G�
�B|N�D�����Rp�M-��B��=o���-�we�5��J�Qpa>O��.�#������.���_�<���V��
[~�*��*�p�z��~�3�W�G�.ᘟ����Ml�r[�<C�e�6���f����q������O���"��u��xf�WN�#�u����i���c�gk��v$����Lb�%�������y��`�����_�{`���xK'G�N��

��
�0�
�0U

�0

�0U

�
0USr풜���
\|~�5N�ԸQ�0U#0�N��@[�i�0�4hC�A��0f+


Z0X0'+
0
�http://ocsp.startssl.com/ca0-+
0�!http://www.startssl.com/sfsca.crt0[UT0R0'�%�#�!http://www.startssl.com/sfsca.crl0'�%�#�!http://crl.startssl.com/sfsca.crl0��U y0w0u+

��7

0f0.+

"http://www.startssl.com/policy.pdf04+

(http://www.startssl.com/intermediate.pdf0
	*�H��


�

�}x�,\�c�^��#wM�q�}��>UK/��^y��X֏y	����f�rMIŲ�B6�1ymQ󸟆�ҨݬZ���0���&��;�@��#13qۑ��&	��̢����
��o�	6�r��_��;�GO>*I�(	7�4���XS1r3��)!�LJ�y��6Ko����tˆ#
_�w�S�r���
�;�B
A�Dp�(f��s�������䰷6%�����.W0J3�:b�C�<�8t X����1�<��C��n�=�����t==�wS���T������~���\�wkB�f�|1��5���zU��P)��(���I��j��VB��!����OfI=b
��b�\4�-*em��/нSJm�7���N�����[�]'��@ڽ��D9�Kr>���R��7/��|�o���^I@�ټ'��Pa$ z��9�a'L�)��(�
�I��}v��c�H]�۸�D����*�W�}
m�>Q����|�C.�(,�l��Q�0��0���


0
	*�H��


0}10	UIL10U

StartCom Ltd.1+0)U"Secure Digital Certificate Signing1)0'U StartCom Certification Authority0
060917194636Z
360917194636Z0}10	UIL10U

StartCom Ltd.1+0)U"Secure Digital Certificate Signing1)0'U StartCom Certification Authority0�"0
	*�H��



�0�
�
���	�lF|x��{�3��rb��6 "$^��w�C
�d�̎6�8�#�nm�<�r����=�3+�/���AYg��}
�t��yL�7z�9RY��FC�҅���q�ub4�,����4�ǖ�R=�3��M�;JK��&/��r5w�<]���&�6v\
�t%������x�-�0
-ry�F�*�����I�����
�
�cS�b�:̵f��kt�+�v>�m��D�sb;ľ�SV%lQ	���ʿv�m��ۿ=f�V���H�:KߧXP�8u�[�C����lMp[)e�ݪ]̯
1��ҍ��{�n�'fH�nB�?�!>{�
p�c��lT�\%zɢɋ��,~^MXn
�
�2�����n��6I�Hi�–M�i�
���y"H��{i�p��z7��
�vOW��������`�g:�����ԋr"�Ɵ���������ƶ�\R<��*s

�`�z/�ۣn�&0���݉W��=��+ŷv��+��*r��3�]	K߻�tRK

��R0�N0U0

�0U
�0UN��@[�i�0�4hC�A��0dU]0[0,�*�(�&http://cert.startcom.org/sfsca-crl.crl0+�)�'�%http://crl.startcom.org/sfsca-crl.crl0�
]U �
T0�
P0�
L+

��7


0�
;0/+

#http://cert.startcom.org/policy.pdf05+

)http://cert.startcom.org/intermediate.pdf0��+
0��0' Start Commercial (StartCom) Ltd.0

��Limited Liability, read the section *Legal Limitations* of the StartCom Certification Authority Policy available at http://cert.startcom.org/policy.pdf0	`�H
��B

08	`�H
��B

+)StartCom Free SSL Certification Authority0
	*�H��


�
l��f4�Ѕ^}
��N8^ߦ%K�2��;�=�D	[I�)�f����%�	<���6�+K�h�9f=�&��9�Q��{~��Z��Wpi��^X�
ߌ�E8
^W�b�z�����)����n(�DÐ�8�<�CMdE��(�\�s{�諱�.\dns1:����}��Q�;���M�f{<�Ӛ��eP���u�/���C��i��y�C�Fr�d6��%8��w~�kj���DK�x����,KD�4R'�
]�����x�S2݀�fuٵh(�a.���8����gd�./�p�ǖ|�e��CT�ݥ�9�`�4ɖp,��H{�~k����";���*���R��KU�����"��4N&"��,uJ��}׸d�6��/��#	��;sI�jW����xřCc�M�w-�e�riG	�
V$��y�X.��	
~��m>��J9��+���u���	�U7��7�Cb ��VKe��l�$�$�4���"��}?�eQ
�0j���
�r��^1�o0�k

0��0��10	UIL10U

StartCom Ltd.1+0)U"Secure Digital Certificate Signing1806U/StartCom Class 1 Primary Intermediate Client CA��0	+��
�0	*�H��

	1	*�H��


0	*�H��

	1
130816192428Z0#	*�H��

	1>�o{g3V�Brc��<)�)0��	+

�71��0��0��10	UIL10U

StartCom Ltd.1+0)U"Secure Digital Certificate Signing1806U/StartCom Class 1 Primary Intermediate Client CA��0��*�H��

	1�����0��10	UIL10U

StartCom Ltd.1+0)U"Secure Digital Certificate Signing1806U/StartCom Class 1 Primary Intermediate Client CA��0
	*�H��



�
6��{�w!֊
����p����%��n��:\�t�&���4����Y+B�m{��n��z��mv,�� �}��l
�BX�'�E�@�)w]�4��b�fn2�x�u��b��>�4�)‘��6
\�ٿaCxQ�#Ҷ��|)G��f�*��e�y��R���2�LL�J��.O����3	fQ���M#mc�V�x0
�(	c���c�
D�E��c��5�O�6o��->>F{�I�ar$���f����C�ptb|o��tJ���

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?D0F0B6F2-AF75-467B-93B8-AE2BE3A0A6EB>

Legal Notices | © 1995-2025 The FreeBSD Project. All rights reserved.

Contact