synproxy on tuns
Yuriy Grishin
grishin-mailing-lists at minselhoz.samara.ru
Thu Mar 19 00:27:44 PDT 2009
Hello,
I have some problems connecting to my gateway from elsewhere.
A rule
1) pass in on tun0 inet proto tcp from any to 94.180.71.150 port = ssh
flags S/SA *modulate* state queue(qssh, qack)
allow to connect to the host neatly.
If I try to protect sshd with synproxy this way :
2) pass in on tun0 inet proto tcp from any to 94.180.71.150 port = ssh
flags S/SA *synproxy* state queue(qssh, qack)
a connection stucks. Status "connecting...." never changes (it can take
a minute or 10 and even more!) I suppose that some packets of the TCP
handshake are approved and some not.
Why does it happen? Is encapsulation the roots of problem?
Now there is second rule activated and anybody can reproduce the situation.
--
Yuriy Grishin
More information about the freebsd-pf
mailing list