From owner-freebsd-stable@FreeBSD.ORG  Thu Mar 16 13:44:05 2006
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
X-Original-To: freebsd-stable@freebsd.org
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 259B716A41F
	for <freebsd-stable@freebsd.org>; Thu, 16 Mar 2006 13:44:05 +0000 (UTC)
	(envelope-from butchar.2@osu.edu)
Received: from defang20.it.ohio-state.edu (defang20.it.ohio-state.edu
	[128.146.216.134])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 8A7C743D73
	for <freebsd-stable@freebsd.org>; Thu, 16 Mar 2006 13:44:01 +0000 (GMT)
	(envelope-from butchar.2@osu.edu)
Received: from hlritridlab ([140.254.6.71])
	by defang20.it.ohio-state.edu (8.13.1/8.13.1) with ESMTP id
	k2GDi0Q5013656
	for <freebsd-stable@freebsd.org>; Thu, 16 Mar 2006 08:44:00 -0500
From: jon butchar <butchar.2@osu.edu>
To: freebsd-stable@freebsd.org
Date: Thu, 16 Mar 2006 08:43:59 -0500
User-Agent: KMail/1.9.1
References: <000e01c648f6$a92bc310$0701010a@notebook>
In-Reply-To: <000e01c648f6$a92bc310$0701010a@notebook>
MIME-Version: 1.0
Content-Type: text/plain;
  charset="koi8-r"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200603160843.59902.butchar.2@osu.edu>
X-Spam-Score: undef - spam scanning disabled
X-CanItPRO-Stream: outbound
X-Scanned-By: CanIt (www . roaringpenguin . com) on 128.146.216.12
Subject: Re: pf: synproxy broken
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Mar 2006 13:44:05 -0000

On Thursday 16 March 2006 07:39, Yuriy N. Shkandybin wrote:
> Hello
>
> from ealier 6.0 there is problem with synproxy in pf filter:
> this one 6.1-PRERELEASE #2: Wed Mar 15 02:02:37 MSK 2006
>
> pf.conf just with single rule
> pass in quick on lo0 proto tcp from any to any port 22 flags
> S/SA synproxy state
>
> result
> telnet 127.0.0.1 22
> Trying 127.0.0.1...
> Connected to 127.0.0.1.
> Escape character is '^]'.
>
> and it's hangs
>
> pfctl -s rules -v
> No ALTQ support in kernel
> ALTQ related functions disabled
> pass in quick on lo0 proto tcp from any to any port = ssh flags
> S/SA synproxy state [ Evaluations: 966392    Packets: 0        
> Bytes: 0           States: 1     ]
>
>
>  pfctl -s state
> No ALTQ support in kernel
> ALTQ related functions disabled
> self tcp 127.0.0.1:22 <- 127.0.0.1:44819       PROXY:DST
>
> without synproxy all is ok
>
> There is PR 86072 about that with unclear results.
>
>
> Jura

Hi.

Do you have
"set state-policy if-bound"
in your options section of /etc/pf.conf?  That's cleared up 
synproxy problems for me before.

hth,

jon b