tech-net: Re: PF and TCP Window Scaling in NetBSD 3.0

Subject: Re: PF and TCP Window Scaling in NetBSD 3.0
To: Joerg Roedel <joro-bsd@zlug.org>
From: Daniel Hartmeier <daniel@benzedrine.cx>
List: tech-net
Date: 07/11/2006 14:57:03

On Tue, Jul 11, 2006 at 02:04:33PM +0200, Joerg Roedel wrote:

> So it must be a problem in the filter code.

... or the ruleset :)

To properly support TCP window scaling, pf must create state on the
initial SYN packet of a connection.

If state is created on a subsequent packet (like when the SYN is
accidentally passed without creating state, and state is created on
the returning SYN+ACK), pf has missed the window scaling negotiation
containing the scaling factors, and will eventually stall
connections. Each peer's scaling factor is only seen in its SYN packet,
and can't be deduced later on.

Check your ruleset and verify that

  a) there is a default block policy
  b) all 'pass' rules applying to TCP have both 'keep state' and
     'flags S/SA'.

Daniel