From owner-freebsd-pf@FreeBSD.ORG Fri Aug 16 12:16:37 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id C3CDB107 for ; Fri, 16 Aug 2013 12:16:37 +0000 (UTC) (envelope-from axex007@yandex.ru) Received: from forward17.mail.yandex.net (forward17.mail.yandex.net [IPv6:2a02:6b8:0:1402::2]) by mx1.freebsd.org (Postfix) with ESMTP id 388B9232B for ; Fri, 16 Aug 2013 12:16:37 +0000 (UTC) Received: from smtp19.mail.yandex.net (smtp19.mail.yandex.net [95.108.252.19]) by forward17.mail.yandex.net (Yandex) with ESMTP id 3A6941061DD3 for ; Fri, 16 Aug 2013 16:16:35 +0400 (MSK) Received: from smtp19.mail.yandex.net (localhost [127.0.0.1]) by smtp19.mail.yandex.net (Yandex) with ESMTP id 1E5ABBE012B for ; Fri, 16 Aug 2013 16:16:35 +0400 (MSK) Received: from cl103-65-137-95.cl.metrocom.ru (cl103-65-137-95.cl.metrocom.ru [95.137.65.103]) by smtp19.mail.yandex.net (nwsmtp/Yandex) with ESMTP id sCXIkjdmPi-GYG8JQGI; Fri, 16 Aug 2013 16:16:34 +0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1376655394; bh=h+HlWTqT1RUGKglWW9hWSj2vg+DGxcXFvcFTk2GbUbU=; h=Message-ID:Date:From:User-Agent:MIME-Version:To:Subject: Content-Type:Content-Transfer-Encoding; b=Ofk/cznxw8M0/oQuwHx9yqE31r1uYZgE6jQVdpHidewIIAwRl3MPWMEYRP6Jw8To2 4bxC0mptie/4O4p20JbHsNuRYsbWN9CkEt/YZLkzKUUql5xs+QYouF39pU/jD/SEnI z1sqt77yhhfGBtrv5wK2eQ+K8/GhnYaOssd9NK2g= Authentication-Results: smtp19.mail.yandex.net; dkim=pass header.i=@yandex.ru Message-ID: <520E1822.7010505@yandex.ru> Date: Fri, 16 Aug 2013 16:16:34 +0400 From: Alexander User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130620 Thunderbird/17.0.7 MIME-Version: 1.0 To: freebsd-pf@freebsd.org Subject: Windows 7 + freebsd-pf + windows scale SYN-ACK problem Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Aug 2013 12:16:37 -0000 Hello everyone, I've recently run into the following problem. My network behind PF firewall uses a service on the server that is located elsewhere(not under my control) My_Lan ---- Gateway(freebsd9.1-pf) ----ISP(for educational institutes)-network ----- gateway (Netfilter on Debian) ---- Server (service on port 6666). Server runs a windows' service, so all my network workstations that use it are windows operating systems. When I try to establish a connection with this Server from Windows XP machines - everything works OK. But, doing same thing with Windows 7 results in a timeout and refuse of connection establishment. Windows XP connection establishment dump: 16:00:07.980374 IP 172.29.27.231.3219 > 172.29.67.67.6666: Flags [S], seq 3588960800, win 65535, options [mss 1460,nop,nop,sackOK], length 0 16:00:07.982267 IP 172.29.67.67.6666 > 172.29.27.231.3219: Flags [S.], seq 3181331995, ack 3588960801, win 8192, options [mss 1460,nop,nop,sackOK], length 0 16:00:07.982442 IP 172.29.27.231.3219 > 172.29.67.67.6666: Flags [.], ack 1, win 65535, length 0 16:00:07.982617 IP 172.29.27.231.3219 > 172.29.67.67.6666: Flags [P.], seq 1:41, ack 1, win 65535, length 40 16:00:07.987943 IP 172.29.67.67.6666 > 172.29.27.231.3219: Flags [P.], seq 1:38, ack 41, win 64240, length 37 16:00:07.987955 IP 172.29.67.67.6666 > 172.29.27.231.3219: Flags [F.], seq 38, ack 41, win 64240, length 0 Windows 7 establishment dump: 16:05:10.539208 IP 172.29.27.204.60848 > 172.29.67.67.6666: Flags [S], seq 3073456938, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 16:05:10.541103 IP 172.29.67.67.6666 > 172.29.27.204.60848: Flags [S.], seq 674256650, ack 3073456939, win 8192, options [mss 1460,nop,nop,sackOK], length 0 16:05:13.546167 IP 172.29.67.67.6666 > 172.29.27.204.60848: Flags [S.], seq 674256650, ack 3073456939, win 8192, options [mss 1460,nop,nop,sackOK], length 0 16:05:13.553589 IP 172.29.27.204.60848 > 172.29.67.67.6666: Flags [S], seq 3073456938, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 16:05:19.551960 IP 172.29.67.67.6666 > 172.29.27.204.60848: Flags [S.], seq 674256650, ack 3073456939, win 8192, options [mss 1460,nop,nop,sackOK], length 0 16:05:19.631731 IP 172.29.27.204.60848 > 172.29.67.67.6666: Flags [S], seq 3073456938, win 8192, options [mss 1460,nop,nop,sackOK], length 0 Here my firewall blocks syn-ack packet that comes from server(dump is taken from external interface), and client doesn't send ack. I know why server doesn't respond with wscale option - it's because it has windows 2003 server running that by default doesn't support it. If i turn off window scale support on Windows 7 - everything starts to work, but i cant accept this as a solution, cause i'll get slow bandwith with high latency hosts. I tried to add following rules at the end of pf.conf, but it didn't help pass in on $if_int proto tcp from to 172.29.67.67 port 6666 no state pass in on $if_ext proto tcp from 172.29.67.67 port 6666 to any no state Now my question is, is there any solution to stop PF block syn-ack packets that don't have wscale option in a connection where syn packet has it (in my case wscale proposed by windows 7 host is 8)