rdr inet6 to local ftp-proxy sends tcp rst to client

Felix J. Ogris fjo-lists at ogris.de
Mon Jun 23 22:31:32 UTC 2014


this rule doesn't redirect as expected, but sends tcp rst with incorrect 
checksum to the client:

rdr on $lanif inet6 proto tcp from port >= 1024 to port ftp -> ($lanif) 
port ftp-proxy

Neither does "rdr pass ..." nor if I redirect to (lo) or ::1 or to the 
globally scoped ipv6 address bound to $lanif. The redirected connection 
never hits the userspace (verified with 'nc -6 -l').

pfctl -s states reports:
all tcp $lanif[8021] ($ftpserver[21]) <- $client[some high port] 

sockstat -6 is confused:
?    ?    ?    ?    tcp6    $lanif:8021    $client:some_high_port

Same behaviour on 9.2-RELEASE i386 and 10.0-RELEASE amd64. Rule has 
worked for years with ipv4. Maybe related to kern/179392.


More information about the freebsd-pf mailing list