Date: Fri, 16 Aug 2013 16:16:34 +0400 From: Alexander <axex007@yandex.ru> To: freebsd-pf@freebsd.org Subject: Windows 7 + freebsd-pf + windows scale SYN-ACK problem Message-ID: <520E1822.7010505@yandex.ru>
next in thread | raw e-mail | index | archive | help
Hello everyone, I've recently run into the following problem. My network behind PF firewall uses a service on the server that is located elsewhere(not under my control) My_Lan ---- Gateway(freebsd9.1-pf) ----ISP(for educational institutes)-network ----- gateway (Netfilter on Debian) ---- Server (service on port 6666). Server runs a windows' service, so all my network workstations that use it are windows operating systems. When I try to establish a connection with this Server from Windows XP machines - everything works OK. But, doing same thing with Windows 7 results in a timeout and refuse of connection establishment. Windows XP connection establishment dump: 16:00:07.980374 IP 172.29.27.231.3219 > 172.29.67.67.6666: Flags [S], seq 3588960800, win 65535, options [mss 1460,nop,nop,sackOK], length 0 16:00:07.982267 IP 172.29.67.67.6666 > 172.29.27.231.3219: Flags [S.], seq 3181331995, ack 3588960801, win 8192, options [mss 1460,nop,nop,sackOK], length 0 16:00:07.982442 IP 172.29.27.231.3219 > 172.29.67.67.6666: Flags [.], ack 1, win 65535, length 0 16:00:07.982617 IP 172.29.27.231.3219 > 172.29.67.67.6666: Flags [P.], seq 1:41, ack 1, win 65535, length 40 16:00:07.987943 IP 172.29.67.67.6666 > 172.29.27.231.3219: Flags [P.], seq 1:38, ack 41, win 64240, length 37 16:00:07.987955 IP 172.29.67.67.6666 > 172.29.27.231.3219: Flags [F.], seq 38, ack 41, win 64240, length 0 Windows 7 establishment dump: 16:05:10.539208 IP 172.29.27.204.60848 > 172.29.67.67.6666: Flags [S], seq 3073456938, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 16:05:10.541103 IP 172.29.67.67.6666 > 172.29.27.204.60848: Flags [S.], seq 674256650, ack 3073456939, win 8192, options [mss 1460,nop,nop,sackOK], length 0 16:05:13.546167 IP 172.29.67.67.6666 > 172.29.27.204.60848: Flags [S.], seq 674256650, ack 3073456939, win 8192, options [mss 1460,nop,nop,sackOK], length 0 16:05:13.553589 IP 172.29.27.204.60848 > 172.29.67.67.6666: Flags [S], seq 3073456938, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 16:05:19.551960 IP 172.29.67.67.6666 > 172.29.27.204.60848: Flags [S.], seq 674256650, ack 3073456939, win 8192, options [mss 1460,nop,nop,sackOK], length 0 16:05:19.631731 IP 172.29.27.204.60848 > 172.29.67.67.6666: Flags [S], seq 3073456938, win 8192, options [mss 1460,nop,nop,sackOK], length 0 Here my firewall blocks syn-ack packet that comes from server(dump is taken from external interface), and client doesn't send ack. I know why server doesn't respond with wscale option - it's because it has windows 2003 server running that by default doesn't support it. If i turn off window scale support on Windows 7 - everything starts to work, but i cant accept this as a solution, cause i'll get slow bandwith with high latency hosts. I tried to add following rules at the end of pf.conf, but it didn't help pass in on $if_int proto tcp from <My-Lan> to 172.29.67.67 port 6666 no state pass in on $if_ext proto tcp from 172.29.67.67 port 6666 to any no state Now my question is, is there any solution to stop PF block syn-ack packets that don't have wscale option in a connection where syn packet has it (in my case wscale proposed by windows 7 host is 8)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?520E1822.7010505>