From owner-freebsd-pf@FreeBSD.ORG Thu Mar 18 14:47:53 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1338D1065673 for ; Thu, 18 Mar 2010 14:47:53 +0000 (UTC) (envelope-from pawelekc@gmail.com) Received: from gv-out-0910.google.com (gv-out-0910.google.com [216.239.58.185]) by mx1.freebsd.org (Postfix) with ESMTP id A02608FC2B for ; Thu, 18 Mar 2010 14:47:52 +0000 (UTC) Received: by gv-out-0910.google.com with SMTP id r4so26854gve.39 for ; Thu, 18 Mar 2010 07:47:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=rU/8OTFMlKDuC+HAJj4h4gG7pk+fAb2TSBJ+GgUxjUo=; b=D9uxem4n5jgHf24FpcCfOFry+R55FaKSz9N5OooLndkxI9J+Ncxv1rf2xonOQ1MXDm 8xlNyk01peCclSuCQW0/+TLj2bhiPVvY0t6r01VQoiSMOSXkEbL+pC0/t48UuL0DGsKh Lquulidw/F9fdFqNFEPKB64Tgf8XcV1hLtdOU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=TKwWNGvOxk5+Qakksp2sy35LnZKBwcCAh5ow0QPVIH8oF4BQLZr558dqG5zFLqQmGx T15Yas8XbRTJaojHmZoQNMNuSXmmBb0NurwO5GuzsCNoD5xh64H+oJXYVSOubPvuXbyy M8hHC/FwWXAtB6fkvJVlxUpvXS2rHUZ/R/wRE= MIME-Version: 1.0 Received: by 10.204.4.88 with SMTP id 24mr2720824bkq.129.1268921911574; Thu, 18 Mar 2010 07:18:31 -0700 (PDT) Date: Thu, 18 Mar 2010 15:18:31 +0100 Message-ID: From: "pawelekc@gmail.com" To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Subject: Synproxy state - advertising 0 window size X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Mar 2010 14:47:53 -0000 I have small network like this: [Internet] --- rl0(FreeBSD - router)rl1 --- [Lan] I wanted to make whole outgoing packets from the Lan look the same. It means that every SYN packet has the same TCP/IP stack. So I thought about PF's synproxy state. I know synproxy was made for other puprose but I tried to do something like this (this is piece of my PF firewall): ext_if="rl0" int_if="rl1" set skip on lo scrub on $int_if min-ttl 129 nat on $ext_if from !($ext_if) to any -> ($ext_if) pass in on $int_if proto tcp from any to any port {443, 8074} flags S/SA synproxy state (ports are only examples) Everything on this configuration works well but let's see listing from tcpdump: ### NATed synproxy packet### # tcpdump -i rl0 -n -vvv 'tcp[13] & 2 != 0' tcpdump: listening on rl0, link-type EN10MB (Ethernet), capture size 96 bytes 15:09:14.680832 IP (tos 0x10, ttl 128, id 35567, offset 0, flags [DF], proto TCP (6), length 44) 10.0.0.101.51220 > 91.111.111.12.443: Flags [S], cksum 0xf73f (correct), seq 2917250499, win 0, options [mss 1460], length 0 15:09:14.714002 IP (tos 0x0, ttl 56, id 0, offset 0, flags [DF], proto TCP (6), length 44) 91.111.111.12.443 > 10.0.0.101.51220: Flags [S.], cksum 0x819e (correct), seq 1940581141, ack 2917250500, win 5840, options [mss 1460], length 0 ###System SYN#### 15:11:05.876433 IP (tos 0x0, ttl 128, id 35741, offset 0, flags [DF], proto TCP (6), length 48) 10.0.0.101.55040 > 94.23.95.22.80: Flags [S], cksum 0x7741 (correct), seq 414405961, win 65535, options [mss 1460,sackOK,eol], length 0 15:11:05.920871 IP (tos 0x0, ttl 56, id 0, offset 0, flags [DF], proto TCP (6), length 44) 94.23.95.22.80 > 10.0.0.101.55040: Flags [S.], cksum 0xcccf (correct), seq 106340672, ack 414405962, win 5840, options [mss 1460], length 0 1. In first SYN packet (from PF's synproxy) we can see that it doesnt have any options (why?) and it advertises 0 windows size why? 2. In second SYN which comes from FreeBSD (time stamps are disabled and ttl is changed) there are options and window size. Why do these both packets are different? Is it normal that synproxy sends SYNs with 0 window size?