Archive for the ‘Problems’ Category

FreeBSD + pf problem with window scaling

FreeBSD, Problems, Windows | Posted by epistasis
Sep 13 2009

I’ve been having problems for a while with window scaling on my network. I run a FreeBSD router utilising pf for NAT/firewall. Some computers (those with Vista, Windows 7, or recent Ubuntu releases installed) could not establish connections to Google and some other websites, and applications such as Windows Live (MSN) Messenger could not establish connections.

On Windows Vista and Windows 7, disabling window scaling (also called Receive Window Auto-Tuning) with the following command was a successful patch for the problem:

netsh interface tcp set global autotuninglevel=disabled

In Ubuntu the same patch was to modify /etc/sysctl.conf to disable window scaling. I added the following line:

net.ipv4.tcp_window_scaling: 0

This was only a temporary fix however as I did not want to have to disable the feature all the time.

To properly support TCP window scaling, pf must create a state on the initial SYN packet of connection.

If the state is created on a subsequent packet (like when the SYN is  accidentally passed without creating a state, and the state is created on the returning SYN+ACK), pf has missed the window scaling negotiation
containing the scaling factors, and will eventually stall connections. Each peer’s scaling factor is only seen in its SYN packet, and can’t be deduced later on.

Check your ruleset and verify that

a) there is a default block policy
b) all ‘pass’ rules applying to TCP have both ‘keep state’ and ‘flags S/SA’.

That was it! Vista, 7 and Ubuntu were happy again, with default settings so I was able to re-enable Windows auto-tuning by typing:

netsh interface tcp set global autotuninglevel=normal

and for Ubuntu, I was able to erase the line in /etc/sysctl.conf.

Windows Server 2003 Quick Launch Permission Errors

Problems | Posted by epistasis
May 17 2009

Problem: I’ve been trying to fix this for ages. Basically, when logged on as Administrator to my Windows 2003 Server box, using folder redirection (particularly for the Application Data folder, which is where the user’s quick launch is stored – App Data\Microsoft\Internet Explorer\Quick Launch), and redirecting over a share (even though the share is on the same server), clicking any quick launch items brings up an error saying “You may not have the appropriate permissions” etc.

Solution: After lots of googling I found the answer is to add the file server to the ‘Intranet’ zone under the Security tab of Internet Explorer. (i.e. add server or http://server). This will make the quick launch work again. If you want to reload the quick launch, go into task manager and kill explorer.exe, then start it up again.

DKVM-4U not recognising keyboard

Problems | Posted by epistasis
Feb 09 2009

I bought a D-Link 4 Port USB KVM switch (DKVM-4U) to switch between my servers in their newly installed Node Zero, but I am experiencing a problem with it. Basically, the mouse and video bits work fine, but as soon as you plug in a usb keyboard the unit stops responding and needs a complete reset.

I emailed D-Link with my problem and was surprised to hear that my KVM is not really a KVM. For a transcript of the emails look at:

FreeBSD chown and chmod

FreeBSD, Problems | Posted by epistasis
Jan 28 2009

Problem: I was recently trying to use chmod and chown in PHP on a FreeBSD system. I found out that these two commands (for obvious) reasons, can only be used by the superuser, therefore I couldn’t change the owner of an uploaded file (via a website) from the www to the user who’s website it was. In Solaris you can just change rstchown to 0 in /etc/system – unfortunately I couldn’t find a similar way to do this in FreeBSD.

Solution: The main solution I have found to this is to just use a cron job as root to chown all the files  (by using an asterisk in the file path) in a certain directory (the upload directory) to the user.. This is also a lot safer than allowing other users to use chmod/chown.

Obviously, if anyone can think of a better way of doing this, please let me know.