ipf 4.1.13 + NAT + FTP proxy = window scaling problem

[Pekka Savola]

Hello,

On FreeBSD 6.2-PRERELEASE (apparently ipfilter ~4.1.13), I'm having a 
problem with NATted, FTP-proxied sessions which use Window Scaling. 
Session that don't use the FTP proxy (or if the FTP proxy rule is 
disabled) or if WS is disabled work OK.

Maybe FTP proxy doesn't work with Window Scaling, or is there 
something I'm missing ?

IPmon lists the errors like:

19/12/2006 20:56:04.982985 15x fxp0 @0:32 b 193.166.3.2,33416 -> 
192.168.1.1,33828 PR tcp len 20 1500 -A IN OOW NAT
19/12/2006 20:56:08.235987 fxp0 @0:32 b 193.166.3.2,33416 -> 192.168.1.1,33828 
PR tcp len 20 1500 -A IN OOW NAT
19/12/2006 20:56:09.155467 fxp0 @0:32 b 193.166.3.2,33416 -> 192.168.1.1,33828 
PR tcp len 20 1500 -A IN OOW NAT
19/12/2006 20:56:10.996694 fxp0 @0:32 b 193.166.3.2,33416 -> 192.168.1.1,33828 
PR tcp len 20 1500 -A IN OOW NAT

The ipnat.rules is like:

# removing this rule "fixes" the problem
map fxp0 192.168.1.0/24 -> $external_ip/32 proxy port ftp ftp/tcp
rdr fxp0 0.0.0.0/0 port 6881 -> 192.168.1.1 port 6881
map fxp0 192.168.1.0/24 -> $external_ip/32 portmap tcp/udp 40000:60000
map fxp0 192.168.1.0/24 -> $external_ip/32

When the problem is on, the relevant 'ipnat -l' entry is like:
MAP 192.168.1.1     42806 <- -> $external_ip    42806 [193.166.3.2 21]
        proxy ftp/6 use 0 flags 0
                proto 6 flags 0 bytes 3257 pkts 26 data YES size 312
        FTP Proxy:
                passok: 0
        Client:
                seq e4b6e847 (ack e4b6e847) len 0 junk 0 cmds 0
                buf [RETR 10Mnull\015\012\015\012\000]
        Server:
                seq 6c3771cd (ack 6c3771cd) len 62 junk 0 cmds 150
                buf [150-Accepted data connection\015\012150 10240.0 kbytes to 
download\015\012dow\015\012331-\015\012331 Any password will work\015\012 the 
regular Funet\000]


The ipf rules look somewhat like below:

0 block in log quick from any to any with short
70 block in on fxp0 all
276 pass in quick on fxp0 proto ipv6 from any to any
0 pass in quick on fxp0 proto icmp from any to any keep state
0 block in log quick on fxp0 from $external_ip/32 to any
0 block return-rst in quick on fxp0 proto tcp from any to $external_ip/32 port 
= tircproxy flags S/SA keep state
4 pass in quick on fxp0 proto tcp from any to $external_ip/32 port >= 1023 
flags S/SA keep state
0 pass in quick on fxp0 proto tcp from any to $external_ip/32 port = ftp flags 
S/SA keep state
... a couple of other such rules which haven't had any passes ..
0 pass in quick on fxp0 proto tcp from any to any port = 6881 flags S/SA keep 
state
0 pass in quick on fxp0 proto udp from any to any port = 6881 keep state
3 block return-rst in log on fxp0 proto tcp from any to $external_ip/32 flags 
S/SA
5 block return-icmp(port-unr) in log on fxp0 proto udp from any to 
$external_ip/32
0 block in quick on fxp0 from any to 255.255.255.255/32
130 block in log on fxp0 all

--
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings