Date: Thu, 19 Mar 2009 11:08:37 +0400 From: Yuriy Grishin <grishin-mailing-lists@minselhoz.samara.ru> To: freebsd-pf@freebsd.org Subject: synproxy on tuns Message-ID: <49C1EF75.3010204@minselhoz.samara.ru>
next in thread | raw e-mail | index | archive | help
Hello,
I have some problems connecting to my gateway from elsewhere.
A rule
1) pass in on tun0 inet proto tcp from any to 94.180.71.150 port = ssh
flags S/SA *modulate* state queue(qssh, qack)
allow to connect to the host neatly.
If I try to protect sshd with synproxy this way :
2) pass in on tun0 inet proto tcp from any to 94.180.71.150 port = ssh
flags S/SA *synproxy* state queue(qssh, qack)
a connection stucks. Status "connecting...." never changes (it can take
a minute or 10 and even more!) I suppose that some packets of the TCP
handshake are approved and some not.
Why does it happen? Is encapsulation the roots of problem?
Now there is second rule activated and anybody can reproduce the situation.
--
Yuriy Grishin
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?49C1EF75.3010204>