Hello, I just
1. changed the configuration to "keep state" 2. did a syspatch 3. rebooted the host 4. all connections were possible 5. changed the configuration back to "modulate state" to verify 6. reloaded the configuration 7. still, all connections were possible 8. rebooted the system 9. still all connections were possible 10. Changed back to "keep state" due to Stuart's helpful advice. So, layer 8 problem? Don't think so, but I cannot reproduce it and it works now. Ok, blame me... Thanks for your help and time! Best regards, Steffen Am Thu, Feb 25, 2021 at 02:51:02PM +0000 schrieb Stuart Henderson: > On 2021/02/25 15:32, Steffen Fritz wrote: > > Hello, > > > > Am Thu, Feb 25, 2021 at 01:21:54PM +0000 schrieb Stuart Henderson: > > > > > > Any difference if you change "modulate state" to "keep state"? > > > > as this is a (privatley used) productive system and I don't have a > > testing stage I cannot test this easily. I would have to syspatch and > > render the system unusable for some time. If nothing helps I can do it > > but maybe someone else can check this on a test system? > > > > Best regards, > > > > Steffen > > > > btw, if you look at what "modulate state" does as described in > pf.conf(5), using it on services hosted on the machine running PF > itself doesn't make much sense in the first place, it's for protecting > machines that have junk sequence number generation. OpenBSD's TCP stack > already uses a good rng so there's no point in PF adjusting every single > packet in the connection to replace sequence numbers/acks with something > that isn't any better than it was already (and adjusting checksums to > match). > > (if that _is_ responsible for the problem then obviously it wants > fixing but I wanted to mention that on-list as this feature seems to get > cargo-culted a lot where it isn't useful..) > -- Steffen Fritz T: +49 7141 505 36 12 W: https://fritz.wtf
