Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 07 Apr 2008 22:48:21 -0400
From:      Elliott Perrin <elliott@c7.ca>
To:        freebsd-pf@freebsd.org
Subject:   Re: SSH Session disconnecting with pf
Message-ID:  <1207622901.32218.146.camel@kensho.c7.ca>
In-Reply-To: <20080408000558.GA18044@eos.sc1.parodius.com>
References:  <003801c898fb$16a897a0$43f9c6e0$@net> <20080407230750.GA15720@eos.sc1.parodius.com> <1207610249.32218.143.camel@kensho.c7.ca> <20080408000558.GA18044@eos.sc1.parodius.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 2008-04-07 at 17:05 -0700, Jeremy Chadwick wrote:
> On Mon, Apr 07, 2008 at 07:17:29PM -0400, Elliott Perrin wrote:
> > On Mon, 2008-04-07 at 16:07 -0700, Jeremy Chadwick wrote:
> > > On Mon, Apr 07, 2008 at 11:02:33PM +0100, Torsten @ CNC-LONDON wrote:
> > > > I'm running FreeBSD stable6.2  on all my servers and in the past one year I
> > > > notices a random disconnection of persistent sessions to and from servers
> > > > with  is running as PF the firewall
> > > 
> > > The big problem with your rules looks to be how you're determining SYN,
> > > and how you're using keep state.
> > > 
> > > Below are some comments.
> > > 
> > > >         SYN_ONLY="S/FSRA"
> > > 
> > > This is very, very wrong, and probably the cause of your issues.  This
> > > should be S/SA.
> > 
> > That is not very very wrong. 
> > 
> > Any TCP session starting up should only have the SYN flag set out of SYN
> > FIN ACK RST. As a matter of fact this is in theory a more secure setting
> > than S/SA (SYN out of SYN ACK). 
> 
> You're correct, and it was I who was very wrong.  :-)  Thank you for
> correcting me.

No apology necessary... especially with all the help you provide to
people on the list. 

Cheers,
~e




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1207622901.32218.146.camel>