On 7/25/2007 12:50 PM JD Bronson wrote:
At 08:55 PM 7/25/2007 +0200, Max Laier wrote:
On Saturday 21 July 2007, Jordan Gordeev wrote:
> I'm replying to an old and long-forgotten thread to report my recent
> findings.
> There's a bug in PF with modulate/synproxy state. Modulate/synproxy
> state modulate sequence numbers, but don't modulate sequence
numbers in
> TCP SACK options. Some firewalls block TCP segments with sequence
> numbers in the SACK option pointing outside the window, which causes
> connection stalls. The bug was fixed in OpenBSD with revision 1.509 of
> src/sys/net/pf.c about an year and a half ago. The bug is present in
> FreeBSD-STABLE. A fix for the bug was imported in FreeBSD-CURRENT with
> the big import of PF from OpenBSD 4.1.
> I'm CC-ing Max to notify him of the bug present in -STABLE and to ask
> him to deal with the issue by either porting the fix from OpenBSD, or
> by documenting that modulate/synproxy state is broken.
Good catch - sorry for the delay. Here is the diff (almost verbatim
from
OPENBSD_3_8). Please test and report back. I plan to commit this to
RELENG_6 in a bit.
--
/"\ Best regards, | [EMAIL PROTECTED]
\ / Max Laier | ICQ #67774661
Max - 3.8? Cant we get a bit closer and more up-to-date as far as
staying with pf and openbsd?
I know pf changed - especially for OBSD 4.1 and it would be nice to be
CLOSER than 3.8 ?
Excuse me for butting in. This has been discussed on the pf list. A
search of the archives will find you the details but basically 4.1 and
FBSD 6 won't work together as I understand it. Major changes are
required. However work has been done in CURRENT and is undergoing
testing now but will not be back ported to STABLE because of the major
changes.
HTH,
Drew
--
Be a Great Magician!
Visit The Alchemist's Warehouse
http://www.alchemistswarehouse.com
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"