Windows 7 + freebsd-pf + windows scale SYN-ACK problem
Alexander
axex007 at yandex.ru
Fri Aug 16 12:16:37 UTC 2013
Hello everyone,
I've recently run into the following problem.
My network behind PF firewall uses a service on the server that is
located elsewhere(not under my control)
My_Lan ---- Gateway(freebsd9.1-pf) ----ISP(for educational
institutes)-network ----- gateway (Netfilter on Debian) ---- Server
(service on port 6666).
Server runs a windows' service, so all my network workstations that use
it are windows operating systems.
When I try to establish a connection with this Server from Windows XP
machines - everything works OK.
But, doing same thing with Windows 7 results in a timeout and refuse of
connection establishment.
Windows XP connection establishment dump:
16:00:07.980374 IP 172.29.27.231.3219 > 172.29.67.67.6666: Flags [S],
seq 3588960800, win 65535, options [mss 1460,nop,nop,sackOK], length 0
16:00:07.982267 IP 172.29.67.67.6666 > 172.29.27.231.3219: Flags [S.],
seq 3181331995, ack 3588960801, win 8192, options [mss
1460,nop,nop,sackOK], length 0
16:00:07.982442 IP 172.29.27.231.3219 > 172.29.67.67.6666: Flags [.],
ack 1, win 65535, length 0
16:00:07.982617 IP 172.29.27.231.3219 > 172.29.67.67.6666: Flags [P.],
seq 1:41, ack 1, win 65535, length 40
16:00:07.987943 IP 172.29.67.67.6666 > 172.29.27.231.3219: Flags [P.],
seq 1:38, ack 41, win 64240, length 37
16:00:07.987955 IP 172.29.67.67.6666 > 172.29.27.231.3219: Flags [F.],
seq 38, ack 41, win 64240, length 0
Windows 7 establishment dump:
16:05:10.539208 IP 172.29.27.204.60848 > 172.29.67.67.6666: Flags [S],
seq 3073456938, win 8192, options [mss 1460,nop,wscale
8,nop,nop,sackOK], length 0
16:05:10.541103 IP 172.29.67.67.6666 > 172.29.27.204.60848: Flags [S.],
seq 674256650, ack 3073456939, win 8192, options [mss
1460,nop,nop,sackOK], length 0
16:05:13.546167 IP 172.29.67.67.6666 > 172.29.27.204.60848: Flags [S.],
seq 674256650, ack 3073456939, win 8192, options [mss
1460,nop,nop,sackOK], length 0
16:05:13.553589 IP 172.29.27.204.60848 > 172.29.67.67.6666: Flags [S],
seq 3073456938, win 8192, options [mss 1460,nop,wscale
8,nop,nop,sackOK], length 0
16:05:19.551960 IP 172.29.67.67.6666 > 172.29.27.204.60848: Flags [S.],
seq 674256650, ack 3073456939, win 8192, options [mss
1460,nop,nop,sackOK], length 0
16:05:19.631731 IP 172.29.27.204.60848 > 172.29.67.67.6666: Flags [S],
seq 3073456938, win 8192, options [mss 1460,nop,nop,sackOK], length 0
Here my firewall blocks syn-ack packet that comes from server(dump is
taken from external interface), and client doesn't send ack.
I know why server doesn't respond with wscale option - it's because it
has windows 2003 server running that by default doesn't support it.
If i turn off window scale support on Windows 7 - everything starts to
work, but i cant accept this as a solution, cause i'll get slow bandwith
with high latency hosts.
I tried to add following rules at the end of pf.conf, but it didn't help
pass in on $if_int proto tcp from <My-Lan> to 172.29.67.67 port 6666 no
state
pass in on $if_ext proto tcp from 172.29.67.67 port 6666 to any no state
Now my question is, is there any solution to stop PF block syn-ack
packets that don't have wscale option in a connection where syn packet
has it (in my case wscale proposed by windows 7 host is 8)
More information about the freebsd-pf
mailing list