Win32 clients can't access Windows Update & Yahoo Mail

Greetings:

For some reason, I am unable to get my Win32 (Win98SE, WinME, & WinXP)
clients, behind a IPFILTER NAT'ed firewall, to access Windows Update or
log into Yahoo Mail (CA or UK versions).

But these clients can access nearly everything else on the net and
download large (> 1GB) files using HTTP(S) & FTP. Also an internal
NetBSD & Linux desktops can access Yahoo Mail, even though the Win32
clients timeout

The NetBSD NAT firewall is running IPFILTER & IPNAT (version 3.4.29),
and has a PPPoE connection. Note that the PPPoE interface has an MTU
of 1460 and that I am using an mssclamp of 1408=1460-52. IPNAT is
the only proxy service running on this machine.

The NetBSD firewall is only running the SSH service (on TCP port 22).
It has an external WAN interface with kernel level PPPoE connected
to an ISP, and an internal LAN interface. IPNAT is running on this
firewall to bridge between the external WAN IP address and the internal
LAN private network.

I am at a loss as to why the internal Win98SE & WinXP clients can't
access Windows Updates, and I would greatly appreciate any advice on
how to fix it. I would even appreciate any advice on config/registry
changes to these LAN Win32 desktops if it helps.

Below are my IPFILTER & IPNAT config files.

Note that: ${WAN-IF}=pppoe
${WAN-IP}=123.123.123.123 <== static
${LAN-IF}=fxp0
${LAN-IP}=192.168.1.0 <== private class 'C' on lan

Thanks in advance.
Alicia.


/etc/ipnat.conf
================================================== ===================
map ${WAN-IF} ${LAN-IP}/24 -> ${WAN-IP}/32 portmap tcp/udp 20000:40000 mssclamp 1408
map ${WAN-IF} ${LAN-IP}/24 -> ${WAN-IP}/32 mssclamp 1408
================================================== ===================

/etc/ipf.conf
================================================== ===================
block in log quick all head 1

block in log quick all with frag group 1
block in log quick proto tcp all with short group 1
block in log quick all with ipopts group 1

block return-rst in quick proto tcp from any to any port = 113 flags S group 1
block return-rst in quick proto tcp from any port = 113 to any flags S group 1

block in log quick on tun0 all group 1
block in log quick on tun1 all group 1
block in log quick on gif0 all group 1
block in log quick on gif1 all group 1
block in log quick on gif2 all group 1
block in log quick on gif3 all group 1

pass in quick on lo0 all group 1
pass in quick on ${LAN-IF} all group 1
pass in quick proto icmp from any to any icmp-type 3 code 4 group 1

block in log quick from 192.0.2.0/24 to any group 1
block in log quick from 204.152.64.0/23 to any group 1
block in log quick from 169.254.0.0/16 to any group 1
block in log quick from 192.168.0.0/16 to any group 1
block in log quick from 172.16.0.0/12 to any group 1
block in log quick from 127.0.0.0/8 to any group 1
block in log quick from 10.0.0.0/8 to any group 1
block in log quick from 0.0.0.0/8 to any group 1
block in log quick from 224.0.0.0/3 to any group 1

block in log quick proto tcp from any to ${WAN-IP}/32 head 11 group 1
pass in quick proto tcp from any to any port = 22 group 11

block out log quick all head 2

block out log quick all with frag group 2
block out log quick proto tcp all with short group 2
block out log quick all with ipopts group 2

block out log quick on tun0 all group 2
block out log quick on tun1 all group 2
block out log quick on gif0 all group 2
block out log quick on gif1 all group 2
block out log quick on gif2 all group 2
block out log quick on gif3 all group 2

pass out quick on lo0 all group 2
pass out quick on ${LAN-IF} all group 2
pass out quick proto icmp from any to any icmp-type 3 code 4 group 2

block out log quick from any to 192.0.2.0/24 group 2
block out log quick from any to 204.152.64.0/23 group 2
block out log quick from any to 169.254.0.0/16 group 2
block out log quick from any to 192.168.0.0/16 group 2
block out log quick from any to 172.16.0.0/12 group 2
block out log quick from any to 127.0.0.0/8 group 2
block out log quick from any to 10.0.0.0/8 group 2
block out log quick from any to 0.0.0.0/8 group 2
block out log quick from any to 224.0.0.0/3 group 2

block out log quick from ${WAN-IP}/32 to any head 21 group 2

pass out quick proto tcp from any port = 22 to any group 21
pass out quick proto tcp from any to any flags S keep state group 21
pass out quick proto udp from any to any keep state group 21
pass out quick proto icmp from any to any icmp-type 8 keep state group 21
pass out quick proto icmp from any to any icmp-type 11 keep state group 21

block out log quick from ${LAN-IP}/24 to any head 23 group 2

pass out quick proto tcp from any to any flags S keep state group 23
pass out quick proto udp from any to any keep state group 23
pass out quick proto icmp from any to any icmp-type 8 keep state group 23
pass out quick proto icmp from any to any icmp-type 11 keep state group 23
================================================== ===================