Vista network issues behind PF Firewall

[cerulean]

I have a very straight forward pf config doing NAT for the internal network. Works great with the 30+ WinXP, Win2000 and Linux machines, but recently someone added a Vista machine and it simply doesn't work. Very slow, lots of disconnects, etc. The Vista machine can access internal network resources without issue which seems to indicate this is not a hardware issue.

Below is my pf.conf file .. I did a search and found one thread on the mailing lists with similar issues but it didn't seem to resolve the problem (I can't seem to locate the thread this morning). Thanks for any advise (beyond getting rid of Vista.

#############################
# PF Configuration
###############################
ext_if = "vr0"
int_if = "fxp0"

tcp_services = "{ 0, 21, 8234, 22, 2200, 3389, 3388, 8234, 80, 81, 5820, 143, 443, 110, 25, 2500, 587, 993, 45000:50000, 55555 }"
udp_services = "{ 53, 993, 8234 }"

apnic_blocked_services = "{22, 2200, 25, 2500, 587, 20, 21}"

icmp_types = "echoreq"

priv_nets = "{ 127.0.0.0/8, 172.16.0.0/12, 10.0.0.0/8 }"

table <apnic> { 58.0.0.0/8, 59.0.0.0/8, 60.0.0.0/8, 61.0.0.0/8, 114.0.0.0/8, \
115.0.0.0/8, 116.0.0.0/8, 117.0.0.0/8, 118.0.0.0/8, 119.228.0.0/8, 120.0.0.0/8, \
121.0.0.0/8, 122.0.0.0/8, 123.0.0.0/8, 124.0.0.0/8, 125.0.0.0/8, 126.0.0.0/8, \
169.208.0.0/12, 202.0.0.0/8, 203.0.0.0/8, 210.0.0.0/8, 211.0.0.0/8, 218.0.0.0/8, \
219.0.0.0/8, 220.0.0.0/8, 221.0.0.0/8, 222.0.0.0/8 }

#############################
# PF Options
###############################

set block-policy return
set loginterface $ext_if
set skip on lo
scrub in all

#############################
# PF NAT Configuration
###############################

nat on $ext_if from !($ext_if) to any -> ($ext_if)
nat-anchor "ftp-proxy/*"

rdr-anchor "ftp-proxy/*"
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021

#############################
# PF Filter Rules
###############################

# Default Block Status

block in
pass out keep state

anchor "ftp-proxy/*"

antispoof quick for { lo $int_if }

block in quick on $ext_if inet proto tcp from <apnic> to ($ext_if) port $apnic_blocked_services

pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SA keep state
pass in on $ext_if inet proto udp from any to ($ext_if) port $udp_services keep state

pass in inet proto icmp all icmp-type $icmp_types keep state
pass in quick on $int_if

[J65nko]

Vista is the first OS from Microsoft which has TCP window scaling (defined in RFC 1323) enabled as default.

To properly deal with this, a stateful packetfilter has to create state on the first packet of the 3 way TCP handshake, where this scaling is proposed by the TCP connection initiatior.

Your pass out keep state rule violates this principle.

The issue is rather clearly explained in http://undeadly.org/cgi?action=artic...20060928081238 under the section "Create TCP states on the initial SYN packet"

The release of Vista has been one of the reasons why for some time pf now defaults to flags S/SA keep state for stateful TCP rules.

Don't know if the OS you run, already has this as default

In OpenBSD you can disable this TCP window scaling by setting the sysctl varibiable net.inet.tcp.rfc1323=1 to 0.

In Vista it probably is hidden somewhere in the registry

[cerulean]

Thanks! I made the switch to flags S/SA so that should take care of the issue. Would there be any reason why I wouldn't want to have window scaling?

[J65nko]

If you are in complete control of your network, there is no need to disable TCP window scaling.

Another link explaining the TCP window scaling : http://en.wikipedia.org/wiki/Window_scaling