From nobody Wed Mar 16 16:14:57 2022 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id C72B11A34B85 for ; Wed, 16 Mar 2022 16:15:09 +0000 (UTC) (envelope-from skeletor@lissyara.su) Received: from mx.lissyara.su (mx.lissyara.su [91.227.18.185]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4KJb304vfgz4RZb for ; Wed, 16 Mar 2022 16:15:08 +0000 (UTC) (envelope-from skeletor@lissyara.su) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lissyara.su ; s=dkim; h=Content-Transfer-Encoding:Content-Type:Subject:From:To:Reply-To: MIME-Version:Date:Message-ID:Sender:Cc:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=MwmjY1M5qO8AzR/8/ndvp5FAUrrBPAmAdEy4BOms+MA=; b=fEgdNco2h8iBqqcpKk1+vuH9qQ 3UWqOOOGgAR5mljOFOoYxO0+Hvw2rwYR9tl5KPkEiaAvq2guvTuS3tFZj4Sdx481I+LmbBm4OT8LO DQtyxh9jfKlMkZ7OIB7q7OBO6LHUJ/nPZnL1sgDEI6TQdJFfX1qYfMVFnVy/F+BZIz80=; Received: from [185.157.121.240] (helo=[10.0.71.23]) by mx.lissyara.su with esmtpa (Exim 4.94.2) (envelope-from ) id 1nUWIc-006XRJ-LC for freebsd-pf@freebsd.org; Wed, 16 Mar 2022 19:14:58 +0300 Message-ID: Date: Wed, 16 Mar 2022 18:14:57 +0200 List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.7.0 Reply-To: skeletor@lissyara.su Content-Language: ru To: freebsd-pf@freebsd.org From: skeletor Subject: Question about synproxy Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Scanned-By: ClamAV 0.103.5; Wed, 16 Mar 2022 19:14:58 +0300 X-Rspamd-Queue-Id: 4KJb304vfgz4RZb X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=lissyara.su header.s=dkim header.b=fEgdNco2; dmarc=none; spf=pass (mx1.freebsd.org: domain of skeletor@lissyara.su designates 91.227.18.185 as permitted sender) smtp.mailfrom=skeletor@lissyara.su X-Spamd-Result: default: False [-3.49 / 15.00]; HAS_REPLYTO(0.00)[skeletor@lissyara.su]; RCVD_VIA_SMTP_AUTH(0.00)[]; R_DKIM_ALLOW(-0.20)[lissyara.su:s=dkim]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:91.227.18.185]; MIME_GOOD(-0.10)[text/plain]; REPLYTO_ADDR_EQ_FROM(0.00)[]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.00)[-1.000]; DMARC_NA(0.00)[lissyara.su: no valid DMARC record]; DKIM_TRACE(0.00)[lissyara.su:+]; NEURAL_HAM_SHORT(-0.99)[-0.995]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; MLMMJ_DEST(0.00)[freebsd-pf]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:207027, ipnet:91.227.16.0/22, country:RU]; RCVD_COUNT_TWO(0.00)[2]; MID_RHS_MATCH_FROM(0.00)[] X-ThisMailContainsUnwantedMimeParts: N Hi. Could anybody explain me, why synproxy doesn't work in this rule? # pfctl -sr -v pass in quick on vmx0 inet proto tcp from any to 10.5.0.5 port = 2211 flags S/SA synproxy state [ Evaluations: 1777 Packets: 0 Bytes: 0 States: 1 ] [ Inserted: uid 0 pid 75209 State Creations: 2 ] pass all flags S/SA keep state [ Evaluations: 1775 Packets: 2885 Bytes: 288624 States: 194 ] [ Inserted: uid 0 pid 75209 State Creations: 1375 ] I have a openssh server on port 2211 # sockstat | grep 2211 root sshd 841 3 tcp6 *:2211 *:* root sshd 841 4 tcp4 *:2211 *:* In tcpdump I see a packets between hosts, but connection can't be established. May be I have wrong using of synproxy? My goal is to use synproxy for connect to server ssh (which on this host, where pf rules). Or it's not for this purposal? Thanks.