On Tue, Nov 04, 2008 at 11:23:08AM +0100, Matthias Kellermann wrote: > Jeremy Chadwick wrote: > > Try changing "synproxy state" to "keep state", and see if you have the > > same problem. Note that you may need to reset your state table after > > changing this rule (see pfctl -k). > > Ok, I tried that. Here is the result: > > # tcpdump -s 256 -netttvvi pflog0 > 000000 rule 0/0(match): pass in on sis0: (tos 0x10, ttl 64, id 35529, > offset 0, flags [DF], proto TCP (6), length 60) 192.168.0.51.38439 > > 192.168.0.10.23: S, cksum 0x5fae (correct), 3300997001:3300997001(0) win > 5840 <mss 1460,sackOK,timestamp 2866496 0,nop,wscale 6> > 2. 998190 rule 0/0(match): pass in on sis0: (tos 0x10, ttl 64, id 35530, > offset 0, flags [DF], proto TCP (6), length 60) 192.168.0.51.38439 > > 192.168.0.10.23: S, cksum 0x5cc0 (correct), 3300997001:3300997001(0) win > 5840 <mss 1460,sackOK,timestamp 2867246 0,nop,wscale 6> > 6. 000214 rule 0/0(match): pass in on sis0: (tos 0x10, ttl 64, id 35531, > offset 0, flags [DF], proto TCP (6), length 60) 192.168.0.51.38439 > > 192.168.0.10.23: S, cksum 0x56e4 (correct), 3300997001:3300997001(0) win > 5840 <mss 1460,sackOK,timestamp 2868746 0,nop,wscale 6> > 12. 000425 rule 0/0(match): pass in on sis0: (tos 0x10, ttl 64, id > 35532, offset 0, flags [DF], proto TCP (6), length 60) > 192.168.0.51.38439 > 192.168.0.10.23: S, cksum 0x4b2c (correct), > 3300997001:3300997001(0) win 5840 <mss 1460,sackOK,timestamp 2871746 > 0,nop,wscale 6 > > If I stop the connection attempts from the client the tcpdump output > stops too.
Others will have to assist. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"
