Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 19 Sep 2007 20:41:06 +0200
From:      Max Laier <max@love2party.net>
To:        freebsd-pf@freebsd.org
Subject:   Re: pfctl -e and pfctl -d kills all connections
Message-ID:  <200709192041.16258.max@love2party.net>
In-Reply-To: <499c70c0709191042m2e784314j564e8974703b2fe6@mail.gmail.com>
References:  <499c70c0709191042m2e784314j564e8974703b2fe6@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
--nextPart3412942.lgqe4IIjsd
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

On Wednesday 19 September 2007, Abdullah Ibn Hamad Al-Marri wrote:
> Hello Guys,
>
> Here are my full rules.
>
> When I pfctl -e or pfctl -d all connections will die.

=2E.. "rules with synproxy state"

> Do you know the cause?

see above.  Using "synproxy state" causes pf to complete the 3WHS before=20
contacting the other endpoint, hence it has to translate all future=20
sequence numbers for this connection.  If you disable pf, the translation=20
goes away and the connection dies.  The same thing happens if you=20
use "modulate state".

=46or the "pfctl -e" case:  The pf in CURRENT uses "keep state flags S/SA"=
=20
by default for any tcp pass rule.  That means that it will only match on=20
the initial SYN that starts the connection.  The rest of the connection=20
is then passed based on the state entry.  Consequently any pre-existing=20
connection will not have a state entry and be blocked.

=2D-=20
/"\  Best regards,                      | mlaier@freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier@EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News

--nextPart3412942.lgqe4IIjsd
Content-Type: application/pgp-signature; name=signature.asc 
Content-Description: This is a digitally signed message part.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4 (FreeBSD)

iD8DBQBG8W1MXyyEoT62BG0RAq92AJ4surj6RIL5FBTyweb27ql+go7rGwCffvV9
vubQamEduOGEsXyK/WU0bdI=
=mSmY
-----END PGP SIGNATURE-----

--nextPart3412942.lgqe4IIjsd--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200709192041.16258.max>