Hi!
I've upgraded two 5.0 boxes to 5.1, and noticed that my long standing pf
rules with 'synproxy state' stopped working.
This is an example:
block all
[...]
antispoof quick for $ext_if
[...]
pass in on $ext_if inet proto tcp from any to $ext_ip port imap \
synproxy state \
(source-track rule, max-src-nodes 150, max-src-states 50, \
max-src-conn-rate 50/1, overload <abuse_imap>) \
queue imap
[...]
With this rule I only get a TCP reset [1] in response to a connection to
the imap port. I can safely "fix" this by replacing 'synproxy' with
'keep', but I've remained curious about why doesn't the old rule
working (not just with imap, but with all the other services too, eg.:
ssh, http, smtp, etc...).
If someone could enlighten me about this issue, I'd be grateful (I
didn't find anything regarding this on upgrade51.html).
I can provide the full pf ruleset if needed, but I must massage it
first...
[1]
Jul 24 09:17:35.429490 <client>.2245 > <ext_ip>.143: S 2258140835:2258140835(0)
win 65535 <mss 1452,nop,nop,sackOK> (DF)
Jul 24 09:17:35.429566 <ext_ip>.143 > <client>.2245: S 1742119500:1742119500(0)
ack 2258140836 win 0 <mss 1452> (DF) [tos 0x10]
Jul 24 09:17:35.450975 <client>.2245 > <ext_ip>.143: . ack 1 win 65535 (DF)
Jul 24 09:17:35.450997 <ext_ip>.143 > <client>.2245: R 2552847796:2552847796(0)
ack 1543259791 win 0 (DF) [tos 0x10]
Thanks,
Daniel
--
LÉVAI Dániel
PGP key ID = 0x83B63A8F
Key fingerprint = DBEC C66B A47A DFA2 792D 650C C69B BE4C 83B6 3A8F
