Synproxy state - advertising 0 window size

pawelekc at gmail.com pawelekc at gmail.com
Thu Mar 18 14:47:53 UTC 2010 

I have small network like this: [Internet] --- rl0(FreeBSD -
router)rl1 --- [Lan]

I wanted to make whole outgoing packets from the Lan look the same. It
means that every SYN packet has the same TCP/IP stack. So I thought
about PF's synproxy state. I know synproxy was made for other puprose
but I tried to do something like this (this is piece of my PF
firewall):

ext_if="rl0"
int_if="rl1"
set skip on lo
scrub on $int_if min-ttl 129
nat on $ext_if from !($ext_if) to any -> ($ext_if)
pass in on $int_if proto tcp from any to any port {443, 8074} flags
S/SA synproxy state (ports are only examples)

Everything on this configuration works well but let's see listing from tcpdump:
### NATed synproxy packet###
# tcpdump -i rl0 -n -vvv 'tcp[13] & 2 != 0'
tcpdump: listening on rl0, link-type EN10MB (Ethernet), capture size 96 bytes
15:09:14.680832 IP (tos 0x10, ttl 128, id 35567, offset 0, flags [DF],
proto TCP (6), length 44)
    10.0.0.101.51220 > 91.111.111.12.443: Flags [S], cksum 0xf73f
(correct), seq 2917250499, win 0, options [mss 1460], length 0

15:09:14.714002 IP (tos 0x0, ttl 56, id 0, offset 0, flags [DF], proto
TCP (6), length 44)
    91.111.111.12.443 > 10.0.0.101.51220: Flags [S.], cksum 0x819e
(correct), seq 1940581141, ack 2917250500, win 5840, options [mss
1460], length 0

###System SYN####
15:11:05.876433 IP (tos 0x0, ttl 128, id 35741, offset 0, flags [DF],
proto TCP (6), length 48)
    10.0.0.101.55040 > 94.23.95.22.80: Flags [S], cksum 0x7741
(correct), seq 414405961, win 65535, options [mss 1460,sackOK,eol],
length 0

15:11:05.920871 IP (tos 0x0, ttl 56, id 0, offset 0, flags [DF], proto
TCP (6), length 44)
    94.23.95.22.80 > 10.0.0.101.55040: Flags [S.], cksum 0xcccf
(correct), seq 106340672, ack 414405962, win 5840, options [mss 1460],
length 0

1. In first SYN packet (from PF's synproxy) we can see that it doesnt
have any options (why?) and it advertises 0 windows size why?
2. In second SYN which comes from FreeBSD (time stamps are disabled
and ttl is changed) there are options and window size. Why do these
both packets are different? Is it normal that synproxy sends SYNs with
0 window size?

More information about the freebsd-pf mailing list