Windows 7 + freebsd-pf + windows scale SYN-ACK problem

Alexander axex007 at yandex.ru
Mon Aug 19 09:13:19 UTC 2013 

On 16.08.2013 21:12, Daniel Hartmeier wrote:
> On Fri, Aug 16, 2013 at 06:22:43PM +0400, Alexander wrote:
>
>> My connection with server (port 6666) starts to work and i think i
>> can be satisfied by this solution. But i still cannot understand why
>> packets are dropped without no state rules. As i revealed they are
>> dropped between bridge0 and vlan 1 interfaces.
> This is probably because you filter on bridge0.
>
> There are some sysctl's related to this, run sysctl -a | grep bridge
> I think in some combinations, pf sees packets on the bridge interface
> with the wrong direction.
>
> Do you have a particular reason for filtering on the bridge interface,
> and not just on the physical interfaces?
>
> Daniel
Ok! I tried to remove rxcsum and txcsum on lo0 - didn't help.
> Do you have a particular reason for filtering on the bridge interface,
> and not just on the physical interfaces?
i have 'pass on bridge0 all flags S/SA keep state rule on bridge' , all 
other filters are on physical interfaces.

Here's my full ruleset:
root at gate:~ # pfctl -s rules
pass in quick on vlan1 route-to lo0 inet proto tcp from <My_net> to 
127.0.0.1 port = 3128 flags S/SA keep state
block drop in quick inet proto icmp from any to 255.255.255.255
block drop in quick inet from 127.0.0.0/8 to any
block drop in quick on vlan1 inet from ! <My_net> to any
block drop in log quick on bge0 inet from <My_net> to any
block drop in log quick on bge0 inet from <nat> to any
block drop in log quick on bge0 inet from <block_nets> to any
block drop all
pass in on bge0 inet proto tcp from <branches> to 172.29.27.199 port = 
microsoft-ds flags S/SA keep state
pass in on bge0 inet proto tcp from <branches> to 172.29.27.199 port = 
netbios-ssn flags S/SA keep state
pass in on bge0 inet proto tcp from <branches> to 172.29.27.211 port = 
microsoft-ds flags S/SA keep state
pass in on bge0 inet proto tcp from <branches> to 172.29.27.211 port = 
netbios-ssn flags S/SA keep state
pass in on bge0 inet proto tcp from <branches> to 172.29.27.197 flags 
S/SA keep state
pass in on bge0 inet proto tcp from <branches> to 172.29.27.196 flags 
S/SA keep state
pass in on bge0 inet proto tcp from <branches> to 172.29.27.198 flags 
S/SA keep state
pass in on bge0 inet proto tcp from <ISP_NET> to 172.29.27.195 port = 
microsoft-ds flags S/SA keep state
pass in on bge0 inet proto tcp from <ISP_NET> to 172.29.27.195 port = 
netbios-ssn flags S/SA keep state
pass in on bge0 inet proto tcp from <ISP_NET> to 172.29.27.195 port = 
http flags S/SA keep state
pass in on bge0 inet proto tcp from <ISP_NET> to 172.29.27.195 port = 
z39.50 flags S/SA keep state
pass in on bge0 inet proto tcp from <ISP_NET> to 172.29.27.196 port = 
http flags S/SA keep state
pass in on bge0 inet proto tcp from <ISP_NET> to 172.29.27.196 port = 
6666 flags S/SA keep state
pass in on bge0 inet proto udp from <branches> to 172.29.27.197 keep state
pass in on bge0 inet proto udp from <branches> to 172.29.27.196 keep state
pass in on bge0 inet proto udp from <branches> to 172.29.27.198 keep state
pass in on bge0 inet proto icmp from <branches> to 172.29.27.197 keep state
pass in on bge0 inet proto icmp from <branches> to 172.29.27.196 keep state
pass in on bge0 inet proto icmp from <branches> to 172.29.27.198 keep state
pass in on vlan1 inet from <nat> to 8.8.8.8 flags S/SA keep state
pass in on vlan1 inet from <nat> to 172.16.172.16 flags S/SA keep state
pass in on vlan1 inet from <nat> to 192.168.192.168 flags S/SA keep state
pass in on vlan1 inet proto udp from <My_net> to 172.29.27.194 port = 
ntp keep state
pass in on vlan1 inet proto tcp from 172.29.27.200 to 172.29.27.194 port 
= 10050 flags S/SA keep state
pass in on vlan1 from <dmz> to ! <ISP_NET> flags S/SA keep state
pass in on vlan1 from <nat> to ! <ISP_NET> flags S/SA keep state
pass in on vlan1 from <My_net> to any flags S/SA keep state
pass on bridge0 all flags S/SA keep state

There's no scrub rules.

My sysctl -s | grep bridge:

net.link.bridge.ipfw: 0
net.link.bridge.allow_llz_overlap: 0
net.link.bridge.inherit_mac: 0
net.link.bridge.log_stp: 0
net.link.bridge.pfil_local_phys: 0
net.link.bridge.pfil_member: 1
net.link.bridge.pfil_bridge: 1
net.link.bridge.ipfw_arp: 0
net.link.bridge.pfil_onlyip: 1
dev.pcib.0.%desc: ACPI Host-PCI bridge
dev.pcib.1.%desc: ACPI PCI-PCI bridge
dev.pcib.2.%desc: ACPI PCI-PCI bridge
dev.pcib.3.%desc: ACPI PCI-PCI bridge
dev.pcib.4.%desc: ACPI PCI-PCI bridge
dev.pcib.5.%desc: ACPI PCI-PCI bridge
dev.pcib.6.%desc: ACPI PCI-PCI bridge
dev.hostb.0.%desc: Host to PCI bridge
dev.isab.0.%desc: PCI-ISA bridge


As i mentioned earlier, disabling wscale support on windows 7 makes 
connection between MY_LAN and server in <ISP_NET> on port 6666 work.

More information about the freebsd-pf mailing list