Date: Wed, 19 Sep 2007 20:41:06 +0200 From: Max Laier <max@love2party.net> To: freebsd-pf@freebsd.org Subject: Re: pfctl -e and pfctl -d kills all connections Message-ID: <200709192041.16258.max@love2party.net> In-Reply-To: <499c70c0709191042m2e784314j564e8974703b2fe6@mail.gmail.com> References: <499c70c0709191042m2e784314j564e8974703b2fe6@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] On Wednesday 19 September 2007, Abdullah Ibn Hamad Al-Marri wrote: > Hello Guys, > > Here are my full rules. > > When I pfctl -e or pfctl -d all connections will die. ... "rules with synproxy state" > Do you know the cause? see above. Using "synproxy state" causes pf to complete the 3WHS before contacting the other endpoint, hence it has to translate all future sequence numbers for this connection. If you disable pf, the translation goes away and the connection dies. The same thing happens if you use "modulate state". For the "pfctl -e" case: The pf in CURRENT uses "keep state flags S/SA" by default for any tcp pass rule. That means that it will only match on the initial SYN that starts the connection. The rest of the connection is then passed based on the state entry. Consequently any pre-existing connection will not have a state entry and be blocked. -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQBG8W1MXyyEoT62BG0RAq92AJ4surj6RIL5FBTyweb27ql+go7rGwCffvV9 vubQamEduOGEsXyK/WU0bdI= =mSmY -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200709192041.16258.max>