From owner-freebsd-pf@FreeBSD.ORG  Tue May 29 09:44:09 2007
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id BDCC816A501
	for <freebsd-pf@freebsd.org>; Tue, 29 May 2007 09:44:09 +0000 (UTC)
	(envelope-from zhouzhouyi@ercist.iscas.ac.cn)
Received: from ercist.iscas.ac.cn (ercist.iscas.ac.cn [124.16.138.3])
	by mx1.freebsd.org (Postfix) with SMTP id 60F7F13C457
	for <freebsd-pf@freebsd.org>; Tue, 29 May 2007 09:44:07 +0000 (UTC)
	(envelope-from zhouzhouyi@ercist.iscas.ac.cn)
Received: (qmail 87621 invoked by uid 98); 29 May 2007 09:15:19 -0000
Received: from 124.16.138.62 by ercist.iscas.ac.cn (envelope-from
	<zhouzhouyi@ercist.iscas.ac.cn>, uid 89) with qmail-scanner-1.25 
	(spamassassin: 3.1.0.  Clear:RC:1(124.16.138.62):SA:0(0.0/10.0):. 
	Processed in 0.582869 secs); 29 May 2007 09:15:19 -0000
X-Spam-Status: No, hits=0.0 required=10.0
X-Qmail-Scanner-Mail-From: zhouzhouyi@ercist.iscas.ac.cn via ercist.iscas.ac.cn
X-Qmail-Scanner: 1.25 (Clear:RC:1(124.16.138.62):SA:0(0.0/10.0):. Processed in
	0.582869 secs)
Received: from unknown (HELO zzy.H.qngy.gscas)
	(zhouzhouyi@ercist.iscas.ac.cn@124.16.138.62)
	by 0 with SMTP; 29 May 2007 09:15:18 -0000
Date: Tue, 29 May 2007 17:19:17 +0800
From: zhouyi zhou <zhouzhouyi@ercist.iscas.ac.cn>
To: Volker <volker@vwsoft.com>
Message-Id: <20070529171917.23c348f6.zhouzhouyi@ercist.iscas.ac.cn>
In-Reply-To: <465BED72.6090100@vwsoft.com>
References: <007001c7a122$38fd41b0$1c024dd2@iosdf17a8152bc>
	<465BED72.6090100@vwsoft.com>
Organization: Institute of Software
X-Mailer: Sylpheed version 1.0.4 (GTK+ 1.2.10; i386-portbld-freebsd5.4)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Cc: mlaier@FreeBSD.org, freebsd-pf@freebsd.org
Subject: Re: have anyone configured "synproxy state" beforce
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 29 May 2007 09:44:09 -0000

Dear Mr. Volker
 Thank you very much
 Zelest persuade me add a "set skip on lo0".
 That becomes:
set skip on lo0
pass in quick on rl0 proto tcp from any to any port=21 flags S/SA synproxy stat\e
Sincerely yours
Zhouyi Zhou
On Tue, 29 May 2007 11:08:02 +0200
Volker <volker@vwsoft.com> wrote:

> On 05/28/07 14:17, Zhouyi Zhou wrote:
> > high everyone,( in pariticular Max :-))
> >  The configuration line in my pf.conf is:
> >  pass in quick on lo0 proto tcp from any to any port 21 flags S/SA synproxy 
> > state
> > 
> >  But:
> >  the connection is established, but the control did not seams to pass to the 
> > ftpd
> > Sincerely yours
> > Zhouyi Zhou 
> 
> Zhouyi,
> 
> security@ is the wrong mailing list. Please post questions like this
> to pf@.
> 
> I'm wondering where this traffic originates? You're using interface
> lo0 which will (most likely) be used for traffic on the local machine
>  but you should not find much traffic on that interface from other hosts.
> 
> As you're using 21/tcp I assume you're playing with ftp traffic. Ftp
> is not just using that single (control) port but a pair of 21/tcp and
> a dynamic allocated port. You have to pass that traffic, too or
> otherwise no data communication will be established. Also it is most
> likely that you will have to use an FTP proxy.
> 
> I suspect your whole problem is really not synproxy related.
> 
> HTH
> 
> Volker
> 
> 
> >  (Sorry for the previouly base64 encode mail caused by M$ outlook)
> PS: FreeBSD is also great for workstations! :)
>