I figured out another reason why linux boxes couldn't connect to me.

    I wasn't running keep state on incoming traffic, only outgoing.  That
    means the keep state didn't have the initial SYN packet from an
    outside host making a connection into me.  No initial SYN, no window
    scaling info.

    My current pickup check is not quite sufficient, either.  I have to
    check that the SYN was observed in both directions.  Seeing just one
    of the SYNs may not be enough.  I'll have to re-read the window scaling
    rules.

    Max, or anyone... do you happen to remember whether window scaling
    is negotiated the same for both directions or whether each direction
    in a TCP connection can use a different scaling factor?

					-Matt
					Matthew Dillon 
					<dillon@backplane.com>
[ message continues ]

The latter, wouldn't make much sense if your peer could dictate a scaling 
factor.

The wscale for the other direction is set here:
http://fxr.watson.org/fxr/source/net/pf/pf.c?v=DFBSD#L3810 ff. Note that 
this is in the state tracking already, we are looking at the first packet 
from src and TH_SYN is set (-> this is the SYN+ACK) from the peer.  
dst.wscale was already set when the state was created: 
http://fxr.watson.org/fxr/source/net/pf/pf.c?v=DFBSD#L2727 (where src is 
the other end sending the initial SYN).

At least this is the way things behave when you have "flags S/SA".

-- 
/"\  Best regards,                      | mlaier@freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier@EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News
[ message continues ]