Blocking SYN with data
Kristof Provost
kristof at sigsegv.be
Fri Dec 27 17:43:01 UTC 2019
On 26 Dec 2019, at 1:13, Özkan KIRIK wrote:
> Hi,
>
> I want to block SYN with data packets.
> I read the pf.conf manual, but couldn't find a clear way to do this.
>
> Is it possible to match packets greater then N bytes using pf on
> FreeBSD
> 12.1 stable?
There isn’t a way to express this in pf right now.
> Does synproxy state or modulate state perform this operation?
>
I’ve had a quick look at the code, and I’m somewhat surprised to
find that pf doesn’t stop this by default. There may be good reasons
for this, or perhaps it’s not considered to be a problem (i.e. it
doesn’t happen often, and host stacks discard it anyway).
I’ve not gone through the sync-proxy code flow, but I’d expect that
to prevent this from happening.
Why are you concerned about it?
Best regards,
Kristof
More information about the freebsd-pf
mailing list