At 08:55 PM 7/25/2007 +0200, Max Laier wrote:
On Saturday 21 July 2007, Jordan Gordeev wrote:
> I'm replying to an old and long-forgotten thread to report my recent
> findings.
> There's a bug in PF with modulate/synproxy state. Modulate/synproxy
> state modulate sequence numbers, but don't modulate sequence numbers in
> TCP SACK options. Some firewalls block TCP segments with sequence
> numbers in the SACK option pointing outside the window, which causes
> connection stalls. The bug was fixed in OpenBSD with revision 1.509 of
> src/sys/net/pf.c about an year and a half ago. The bug is present in
> FreeBSD-STABLE. A fix for the bug was imported in FreeBSD-CURRENT with
> the big import of PF from OpenBSD 4.1.
> I'm CC-ing Max to notify him of the bug present in -STABLE and to ask
> him to deal with the issue by either porting the fix from OpenBSD, or
> by documenting that modulate/synproxy state is broken.
Good catch - sorry for the delay. Here is the diff (almost verbatim from
OPENBSD_3_8). Please test and report back. I plan to commit this to
RELENG_6 in a bit.
--
/"\ Best regards, | [EMAIL PROTECTED]
\ / Max Laier | ICQ #67774661
Max - 3.8? Cant we get a bit closer and more up-to-date as far as
staying with pf and openbsd?
I know pf changed - especially for OBSD 4.1 and it would be nice to
be CLOSER than 3.8 ?
-JD
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
