Date: Wed, 25 Nov 2015 11:52:18 +0100 From: Kristof Provost <kp@FreeBSD.org> To: J David <j.david.lists@gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: PF synproxy state =?utf-8?Q?doesn?= =?utf-8?B?4oCZdA==?= negotiate TCP options in 10.2 Message-ID: <20151125105218.GA2469@vega.codepro.be> In-Reply-To: <CABXB=RRuzgKk44TGmtJ0Nfx21Z2Ef-bMEF4hpe1sH9%2BNLkf3Dw@mail.gmail.com> References: <CABXB=RRuzgKk44TGmtJ0Nfx21Z2Ef-bMEF4hpe1sH9%2BNLkf3Dw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2015-11-25 05:36:07 (-0500), J David <j.david.lists@gmail.com> wrote: > It appears that “synproxy state” rules cause TCPs connection to be > negotiated without any options except MSS. > ... > Is this behavior intentional? If so, perhaps it should be mentioned > on the man page? If not, should we open a bug report on this? > It's 'intentional' in the sense that it's simply not implemented in pf. In the synproxy case pf generates the TCP packet from scratch. All that's implemented there is the MSS option. I suspect nothing more is implemented because of the complexity. Using synproxy means there's no communication with the 'real' server until the connection is (from the outside perspective) established, so pf can't really know what values to negotiate. You're right that it'd be good to document this in the man page though. Regards, Kristof
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20151125105218.GA2469>