From owner-freebsd-pf@FreeBSD.ORG Tue May 29 09:09:01 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0532716A54D for ; Tue, 29 May 2007 09:09:01 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id B63F113C45E for ; Tue, 29 May 2007 09:08:58 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7d87.q.ppp-pool.de [89.53.125.135]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id 2BA4212884A; Tue, 29 May 2007 11:08:46 +0200 (CEST) Received: from cesar.sz.vwsoft.com (cesar.sz.vwsoft.com [192.168.16.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id 5DCD93F4E8; Tue, 29 May 2007 11:07:57 +0200 (CEST) Message-ID: <465BED72.6090100@vwsoft.com> Date: Tue, 29 May 2007 11:08:02 +0200 From: Volker User-Agent: Thunderbird 2.0.0.0 (X11/20070528) MIME-Version: 1.0 To: Zhouyi Zhou References: <007001c7a122$38fd41b0$1c024dd2@iosdf17a8152bc> In-Reply-To: <007001c7a122$38fd41b0$1c024dd2@iosdf17a8152bc> X-Enigmail-Version: 0.95.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: mlaier@FreeBSD.org, "FreeBSD \(PF\)" Subject: Re: have anyone configured "synproxy state" beforce X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 May 2007 09:09:01 -0000 On 05/28/07 14:17, Zhouyi Zhou wrote: > high everyone,( in pariticular Max :-)) > The configuration line in my pf.conf is: > pass in quick on lo0 proto tcp from any to any port 21 flags S/SA synproxy > state > > But: > the connection is established, but the control did not seams to pass to the > ftpd > Sincerely yours > Zhouyi Zhou Zhouyi, security@ is the wrong mailing list. Please post questions like this to pf@. I'm wondering where this traffic originates? You're using interface lo0 which will (most likely) be used for traffic on the local machine but you should not find much traffic on that interface from other hosts. As you're using 21/tcp I assume you're playing with ftp traffic. Ftp is not just using that single (control) port but a pair of 21/tcp and a dynamic allocated port. You have to pass that traffic, too or otherwise no data communication will be established. Also it is most likely that you will have to use an FTP proxy. I suspect your whole problem is really not synproxy related. HTH Volker > (Sorry for the previouly base64 encode mail caused by M$ outlook) PS: FreeBSD is also great for workstations! :)