Date: Mon, 7 Apr 2008 17:05:58 -0700 From: Jeremy Chadwick <koitsu@freebsd.org> To: Elliott Perrin <elliott@c7.ca> Cc: freebsd-pf@freebsd.org Subject: Re: SSH Session disconnecting with pf Message-ID: <20080408000558.GA18044@eos.sc1.parodius.com> In-Reply-To: <1207610249.32218.143.camel@kensho.c7.ca> References: <003801c898fb$16a897a0$43f9c6e0$@net> <20080407230750.GA15720@eos.sc1.parodius.com> <1207610249.32218.143.camel@kensho.c7.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Apr 07, 2008 at 07:17:29PM -0400, Elliott Perrin wrote: > On Mon, 2008-04-07 at 16:07 -0700, Jeremy Chadwick wrote: > > On Mon, Apr 07, 2008 at 11:02:33PM +0100, Torsten @ CNC-LONDON wrote: > > > I'm running FreeBSD stable6.2 on all my servers and in the past one year I > > > notices a random disconnection of persistent sessions to and from servers > > > with is running as PF the firewall > > > > The big problem with your rules looks to be how you're determining SYN, > > and how you're using keep state. > > > > Below are some comments. > > > > > SYN_ONLY="S/FSRA" > > > > This is very, very wrong, and probably the cause of your issues. This > > should be S/SA. > > That is not very very wrong. > > Any TCP session starting up should only have the SYN flag set out of SYN > FIN ACK RST. As a matter of fact this is in theory a more secure setting > than S/SA (SYN out of SYN ACK). You're correct, and it was I who was very wrong. :-) Thank you for correcting me. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080408000558.GA18044>