Date: Thu, 16 Mar 2006 08:43:59 -0500 From: jon butchar <butchar.2@osu.edu> To: freebsd-stable@freebsd.org Subject: Re: pf: synproxy broken Message-ID: <200603160843.59902.butchar.2@osu.edu> In-Reply-To: <000e01c648f6$a92bc310$0701010a@notebook> References: <000e01c648f6$a92bc310$0701010a@notebook>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thursday 16 March 2006 07:39, Yuriy N. Shkandybin wrote: > Hello > > from ealier 6.0 there is problem with synproxy in pf filter: > this one 6.1-PRERELEASE #2: Wed Mar 15 02:02:37 MSK 2006 > > pf.conf just with single rule > pass in quick on lo0 proto tcp from any to any port 22 flags > S/SA synproxy state > > result > telnet 127.0.0.1 22 > Trying 127.0.0.1... > Connected to 127.0.0.1. > Escape character is '^]'. > > and it's hangs > > pfctl -s rules -v > No ALTQ support in kernel > ALTQ related functions disabled > pass in quick on lo0 proto tcp from any to any port = ssh flags > S/SA synproxy state [ Evaluations: 966392 Packets: 0 > Bytes: 0 States: 1 ] > > > pfctl -s state > No ALTQ support in kernel > ALTQ related functions disabled > self tcp 127.0.0.1:22 <- 127.0.0.1:44819 PROXY:DST > > without synproxy all is ok > > There is PR 86072 about that with unclear results. > > > Jura Hi. Do you have "set state-policy if-bound" in your options section of /etc/pf.conf? That's cleared up synproxy problems for me before. hth, jon b
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200603160843.59902.butchar.2>