DaemonForums  

Go Back   DaemonForums > Other Operating Systems > Other OS

Other OS Any other OS such as Microsoft Windows, BeOS, Plan9, Syllable, and whatnot.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 10th November 2008
cerulean's Avatar
cerulean cerulean is offline
Port Guard
 
Join Date: May 2008
Location: Arizona
Posts: 18
Default Vista network issues behind PF Firewall

I have a very straight forward pf config doing NAT for the internal network. Works great with the 30+ WinXP, Win2000 and Linux machines, but recently someone added a Vista machine and it simply doesn't work. Very slow, lots of disconnects, etc. The Vista machine can access internal network resources without issue which seems to indicate this is not a hardware issue.

Below is my pf.conf file .. I did a search and found one thread on the mailing lists with similar issues but it didn't seem to resolve the problem (I can't seem to locate the thread this morning). Thanks for any advise (beyond getting rid of Vista.

#############################
# PF Configuration
###############################
ext_if = "vr0"
int_if = "fxp0"

tcp_services = "{ 0, 21, 8234, 22, 2200, 3389, 3388, 8234, 80, 81, 5820, 143, 443, 110, 25, 2500, 587, 993, 45000:50000, 55555 }"
udp_services = "{ 53, 993, 8234 }"

apnic_blocked_services = "{22, 2200, 25, 2500, 587, 20, 21}"

icmp_types = "echoreq"

priv_nets = "{ 127.0.0.0/8, 172.16.0.0/12, 10.0.0.0/8 }"

table <apnic> { 58.0.0.0/8, 59.0.0.0/8, 60.0.0.0/8, 61.0.0.0/8, 114.0.0.0/8, \
115.0.0.0/8, 116.0.0.0/8, 117.0.0.0/8, 118.0.0.0/8, 119.228.0.0/8, 120.0.0.0/8, \
121.0.0.0/8, 122.0.0.0/8, 123.0.0.0/8, 124.0.0.0/8, 125.0.0.0/8, 126.0.0.0/8, \
169.208.0.0/12, 202.0.0.0/8, 203.0.0.0/8, 210.0.0.0/8, 211.0.0.0/8, 218.0.0.0/8, \
219.0.0.0/8, 220.0.0.0/8, 221.0.0.0/8, 222.0.0.0/8 }

#############################
# PF Options
###############################

set block-policy return
set loginterface $ext_if
set skip on lo
scrub in all

#############################
# PF NAT Configuration
###############################

nat on $ext_if from !($ext_if) to any -> ($ext_if)
nat-anchor "ftp-proxy/*"

rdr-anchor "ftp-proxy/*"
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021

#############################
# PF Filter Rules
###############################

# Default Block Status

block in
pass out keep state

anchor "ftp-proxy/*"

antispoof quick for { lo $int_if }

block in quick on $ext_if inet proto tcp from <apnic> to ($ext_if) port $apnic_blocked_services

pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SA keep state
pass in on $ext_if inet proto udp from any to ($ext_if) port $udp_services keep state

pass in inet proto icmp all icmp-type $icmp_types keep state
pass in quick on $int_if
Reply With Quote
  #2   (View Single Post)  
Old 10th November 2008
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

Vista is the first OS from Microsoft which has TCP window scaling (defined in RFC 1323) enabled as default.

To properly deal with this, a stateful packetfilter has to create state on the first packet of the 3 way TCP handshake, where this scaling is proposed by the TCP connection initiatior.

Your pass out keep state rule violates this principle.

The issue is rather clearly explained in http://undeadly.org/cgi?action=artic...20060928081238 under the section "Create TCP states on the initial SYN packet"

The release of Vista has been one of the reasons why for some time pf now defaults to flags S/SA keep state for stateful TCP rules.

Don't know if the OS you run, already has this as default

In OpenBSD you can disable this TCP window scaling by setting the sysctl varibiable net.inet.tcp.rfc1323=1 to 0.

In Vista it probably is hidden somewhere in the registry
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #3   (View Single Post)  
Old 10th November 2008
cerulean's Avatar
cerulean cerulean is offline
Port Guard
 
Join Date: May 2008
Location: Arizona
Posts: 18
Default

Thanks! I made the switch to flags S/SA so that should take care of the issue. Would there be any reason why I wouldn't want to have window scaling?
Reply With Quote
  #4   (View Single Post)  
Old 10th November 2008
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

If you are in complete control of your network, there is no need to disable TCP window scaling.

Another link explaining the TCP window scaling : http://en.wikipedia.org/wiki/Window_scaling
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Reply

Tags
disconnect, pf, tcp window scaling, vista, windows

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
For those who REALLY need windoze, 2k, XP or Vista? fbsduser Other OS 68 4th July 2010 11:00 PM
dhcpd, vista and wlan hamba FreeBSD Ports and Packages 5 8th September 2009 04:34 PM
Cannot connect to IRC (network issues within OBSD?) guitarscn OpenBSD General 10 4th September 2009 12:35 PM
booting vista installer dvd bsdnewbie999 Other OS 9 15th October 2008 06:16 PM
Guide for KDE over SSH from Vista ua549 FreeBSD General 13 13th June 2008 07:20 PM


All times are GMT. The time now is 08:39 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick