From owner-freebsd-pf@FreeBSD.ORG Tue Apr 18 16:58:34 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 560CC16A404 for ; Tue, 18 Apr 2006 16:58:34 +0000 (UTC) (envelope-from scott.nolde@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.239]) by mx1.FreeBSD.org (Postfix) with ESMTP id 25C2143D5E for ; Tue, 18 Apr 2006 16:58:30 +0000 (GMT) (envelope-from scott.nolde@gmail.com) Received: by wproxy.gmail.com with SMTP id i12so870159wra for ; Tue, 18 Apr 2006 09:58:30 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=r42gBUtrdZ6NKVjBPP2t4adpeyd5T9Bo0pN3ypzZo0QiaO3RmZArS1/317yarSBvw3AYu7kKq5AXf9/uzGuf/zmK4yETBYovLJoeHDYsBcaCJmdLCXRPlVwqVakUZbiNA2Zcsv0pRY0hE3LXV+ddIFOsTJDfdrvMfTIPUOvsE7k= Received: by 10.54.94.8 with SMTP id r8mr700248wrb; Tue, 18 Apr 2006 09:58:30 -0700 (PDT) Received: by 10.54.103.5 with HTTP; Tue, 18 Apr 2006 09:56:34 -0700 (PDT) Message-ID: <34041e6e0604180956x47e88f51ib43f1661cdb9778d@mail.gmail.com> Date: Tue, 18 Apr 2006 12:56:34 -0400 From: "Scott Nolde" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Subject: FreeBSD 6.1-RC and pf dropping NAT packets to Windows 98 computers? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Apr 2006 16:58:34 -0000 Greetings, I've recently upgraded my firewall from 5.4 to FreeBSD 6.1-RC #2: Wed Apr 12 13:40:41 EDT 2006. I use pf as the packet filtering software and it has worked well for my home network up until this point. In my home network, I have a mixed environment of devices and operating systems which includes a windows 98 host my wife uses. This windows 98 computer can no longer netsurf or check email through the new pf firewall. I make no special allowances for hosts on this network, other than it has a corresponding nat setup and a pass rule for the local lan traffic. I believe the problem to be a scrub setting where "scrub in all" isn't sufficient. I can't get too technical, but when the win98 host begins an http session or POP session (to an offsite server), the initial state is created and some data is exchanged. However, the session doesn't continue. For a web browser, little is seen other than the website's header at the top of the browser. For a pop session the user/pass exchange is made, but any download never completes. I can use telnet and connect to the pop server and run simple checks like top and stat and the single state connection works just fine. Does anyone have any suggestions for a scrub rule to try which might address and accept packets from the win98 host? - smn