From owner-freebsd-pf@FreeBSD.ORG  Thu Mar 16 12:39:18 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9716816A401;
	Thu, 16 Mar 2006 12:39:18 +0000 (UTC)
	(envelope-from jura@networks.ru)
Received: from networks.ru (orange.networks.ru [80.249.138.5])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 959F643D64;
	Thu, 16 Mar 2006 12:39:17 +0000 (GMT)
	(envelope-from jura@networks.ru)
X-Spam-Status: No, hits=-3.1 required=6.0
Received: from [85.140.148.170] (account jura HELO notebook)
	by networks.ru (CommuniGate Pro SMTP 5.0)
	with ESMTPSA id 2462180; Thu, 16 Mar 2006 15:39:14 +0300
Message-ID: <000e01c648f6$a92bc310$0701010a@notebook>
From: "Yuriy N. Shkandybin" <jura@networks.ru>
To: <freebsd-pf@freebsd.org>
Date: Thu, 16 Mar 2006 15:39:23 +0300
MIME-Version: 1.0
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2670
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
Content-Type: text/plain;
	charset="koi8-r"
Content-Transfer-Encoding: quoted-printable
X-Content-Filtered-By: Mailman/MimeDel 2.1.5
Cc: freebsd-stable@freebsd.org
Subject: pf: synproxy broken
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Mar 2006 12:39:18 -0000


Hello

from ealier 6.0 there is problem with synproxy in pf filter:
this one 6.1-PRERELEASE #2: Wed Mar 15 02:02:37 MSK 2006

pf.conf just with single rule
pass in quick on lo0 proto tcp from any to any port 22 flags S/SA =
synproxy state

result
telnet 127.0.0.1 22
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.

and it's hangs

pfctl -s rules -v
No ALTQ support in kernel
ALTQ related functions disabled
pass in quick on lo0 proto tcp from any to any port =3D ssh flags S/SA =
synproxy state
  [ Evaluations: 966392    Packets: 0         Bytes: 0           States: =
1     ]


 pfctl -s state
No ALTQ support in kernel
ALTQ related functions disabled
self tcp 127.0.0.1:22 <- 127.0.0.1:44819       PROXY:DST

without synproxy all is ok
=20
There is PR 86072 about that with unclear results.


Jura