Date: Mon, 07 Apr 2008 22:48:21 -0400 From: Elliott Perrin <elliott@c7.ca> To: freebsd-pf@freebsd.org Subject: Re: SSH Session disconnecting with pf Message-ID: <1207622901.32218.146.camel@kensho.c7.ca> In-Reply-To: <20080408000558.GA18044@eos.sc1.parodius.com> References: <003801c898fb$16a897a0$43f9c6e0$@net> <20080407230750.GA15720@eos.sc1.parodius.com> <1207610249.32218.143.camel@kensho.c7.ca> <20080408000558.GA18044@eos.sc1.parodius.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 2008-04-07 at 17:05 -0700, Jeremy Chadwick wrote: > On Mon, Apr 07, 2008 at 07:17:29PM -0400, Elliott Perrin wrote: > > On Mon, 2008-04-07 at 16:07 -0700, Jeremy Chadwick wrote: > > > On Mon, Apr 07, 2008 at 11:02:33PM +0100, Torsten @ CNC-LONDON wrote: > > > > I'm running FreeBSD stable6.2 on all my servers and in the past one year I > > > > notices a random disconnection of persistent sessions to and from servers > > > > with is running as PF the firewall > > > > > > The big problem with your rules looks to be how you're determining SYN, > > > and how you're using keep state. > > > > > > Below are some comments. > > > > > > > SYN_ONLY="S/FSRA" > > > > > > This is very, very wrong, and probably the cause of your issues. This > > > should be S/SA. > > > > That is not very very wrong. > > > > Any TCP session starting up should only have the SYN flag set out of SYN > > FIN ACK RST. As a matter of fact this is in theory a more secure setting > > than S/SA (SYN out of SYN ACK). > > You're correct, and it was I who was very wrong. :-) Thank you for > correcting me. No apology necessary... especially with all the help you provide to people on the list. Cheers, ~e
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1207622901.32218.146.camel>