Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 7 Apr 2008 17:05:58 -0700
From:      Jeremy Chadwick <koitsu@freebsd.org>
To:        Elliott Perrin <elliott@c7.ca>
Cc:        freebsd-pf@freebsd.org
Subject:   Re: SSH Session disconnecting with pf
Message-ID:  <20080408000558.GA18044@eos.sc1.parodius.com>
In-Reply-To: <1207610249.32218.143.camel@kensho.c7.ca>
References:  <003801c898fb$16a897a0$43f9c6e0$@net> <20080407230750.GA15720@eos.sc1.parodius.com> <1207610249.32218.143.camel@kensho.c7.ca>

next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Apr 07, 2008 at 07:17:29PM -0400, Elliott Perrin wrote:
> On Mon, 2008-04-07 at 16:07 -0700, Jeremy Chadwick wrote:
> > On Mon, Apr 07, 2008 at 11:02:33PM +0100, Torsten @ CNC-LONDON wrote:
> > > I'm running FreeBSD stable6.2  on all my servers and in the past one year I
> > > notices a random disconnection of persistent sessions to and from servers
> > > with  is running as PF the firewall
> > 
> > The big problem with your rules looks to be how you're determining SYN,
> > and how you're using keep state.
> > 
> > Below are some comments.
> > 
> > >         SYN_ONLY="S/FSRA"
> > 
> > This is very, very wrong, and probably the cause of your issues.  This
> > should be S/SA.
> 
> That is not very very wrong. 
> 
> Any TCP session starting up should only have the SYN flag set out of SYN
> FIN ACK RST. As a matter of fact this is in theory a more secure setting
> than S/SA (SYN out of SYN ACK). 

You're correct, and it was I who was very wrong.  :-)  Thank you for
correcting me.

-- 
| Jeremy Chadwick                                    jdc at parodius.com |
| Parodius Networking                           http://www.parodius.com/ |
| UNIX Systems Administrator                      Mountain View, CA, USA |
| Making life hard for others since 1977.                  PGP: 4BD6C0CB |




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080408000558.GA18044>