pf: synproxy broken
Yuriy N. Shkandybin
jura at networks.ru
Thu Mar 16 12:39:18 UTC 2006
Hello
from ealier 6.0 there is problem with synproxy in pf filter:
this one 6.1-PRERELEASE #2: Wed Mar 15 02:02:37 MSK 2006
pf.conf just with single rule
pass in quick on lo0 proto tcp from any to any port 22 flags S/SA synproxy state
result
telnet 127.0.0.1 22
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
and it's hangs
pfctl -s rules -v
No ALTQ support in kernel
ALTQ related functions disabled
pass in quick on lo0 proto tcp from any to any port = ssh flags S/SA synproxy state
[ Evaluations: 966392 Packets: 0 Bytes: 0 States: 1 ]
pfctl -s state
No ALTQ support in kernel
ALTQ related functions disabled
self tcp 127.0.0.1:22 <- 127.0.0.1:44819 PROXY:DST
without synproxy all is ok
There is PR 86072 about that with unclear results.
Jura
More information about the freebsd-pf
mailing list