Date: Thu, 16 Sep 2004 03:49:41 -0000 From: Bruno Afonso <brunomiguel@dequim.ist.utl.pt> To: pf4freebsd@freelists.org Subject: [pf4freebsd] pfaltq-5.1.0.4 problem using fingerprinting Message-ID: <3F54A3F9.3010101@dequim.ist.utl.pt>
next in thread | raw e-mail | index | archive | help
All seems to be working fine including AltQ integration. Only a minor glitch when I do ifconfig. (box reboots... works perfectly fine on another 5.1 box. Probably a kernel option. Will do some more research on this...) Anyway, passive fingerprinting may have a bug, This is the important rule in question: #ssh pass in on $ext_if proto tcp from any os Windows to $main_ip port 22 modulate state queue(interact_bulk,interact_ack) Without the "os Windows" everything works fine. And I am coming in from a Windows box as tcpdump shows: my.ip.14338 > public.ip.22: S (src OS: Windows 2000 SP3, Windows XP) 709831067:709831067(0) win 64240 <mss 1460,nop,nop,sackOK> (DF) This was a mere test. :-) Now, the interesting part is that, if I use a FreeBSD box to ssh in, it works... FreeBSd.box.ip.57050 > public.ip.22: S (src OS: FreeBSD 5.0, FreeBSD 4.8-4.9) 632746775:632746775(0) win 65535 <mss 1460,nop,wscale 1,nop,nop,timestamp 674899877 0> (DF) But even more interesting is that, if I change the rule to: #ssh pass in on $ext_if proto tcp from any os Cisco to $main_ip port 22 modulate state queue(interact_bulk,interact_ack) I can ssh in using FreeBSD but not using windows box... My FreeBSD box is on the local network and the windows on a remote one. But, there's a clear problem in always allowing FreeBSD. pf.os is from obsd cvs with some entries remove due to pfctl complaining about them: #16384:64:0:60:M512,N,W%2,N,N,T: AIX:4.3:3:AIX 4.3.3-5.2 #16384:64:0:60:M512,N,W%2,N,N,T: AIX:5.1-5.2::AIX 4.3.3-5.2 #32768:64:0:60:M512,N,W%2,N,N,T: AIX:4.3:3:AIX 4.3.3-5.2 #32768:64:0:60:M512,N,W%2,N,N,T: AIX:5.1-5.2::AIX 4.3.3-5.2 #65535:64:0:60:M512,N,W%2,N,N,T: AIX:4.3:3:AIX 4.3.3-5.2 #65535:64:0:60:M512,N,W%2,N,N,T: AIX:5.1-5.2::AIX 4.3.3-5.2 Thanks, take care
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3F54A3F9.3010101>