Hi
try : pass in on $ext_if proto tcp to $ext_ip port imap synproxy state @plus 2012/7/24 LEVAI Daniel <[email protected]> > Hi! > > I've upgraded two 5.0 boxes to 5.1, and noticed that my long standing pf > rules with 'synproxy state' stopped working. > > This is an example: > > block all > [...] > antispoof quick for $ext_if > [...] > pass in on $ext_if inet proto tcp from any to $ext_ip port imap \ > synproxy state \ > (source-track rule, max-src-nodes 150, max-src-states 50, \ > max-src-conn-rate 50/1, overload <abuse_imap>) \ > queue imap > [...] > > With this rule I only get a TCP reset [1] in response to a connection to > the imap port. I can safely "fix" this by replacing 'synproxy' with > 'keep', but I've remained curious about why doesn't the old rule > working (not just with imap, but with all the other services too, eg.: > ssh, http, smtp, etc...). > > If someone could enlighten me about this issue, I'd be grateful (I > didn't find anything regarding this on upgrade51.html). > > I can provide the full pf ruleset if needed, but I must massage it > first... > > > [1] > Jul 24 09:17:35.429490 <client>.2245 > <ext_ip>.143: S > 2258140835:2258140835(0) win 65535 <mss 1452,nop,nop,sackOK> (DF) > Jul 24 09:17:35.429566 <ext_ip>.143 > <client>.2245: S > 1742119500:1742119500(0) ack 2258140836 win 0 <mss 1452> (DF) [tos 0x10] > Jul 24 09:17:35.450975 <client>.2245 > <ext_ip>.143: . ack 1 win 65535 (DF) > Jul 24 09:17:35.450997 <ext_ip>.143 > <client>.2245: R > 2552847796:2552847796(0) ack 1543259791 win 0 (DF) [tos 0x10] > > > Thanks, > Daniel > > -- > LÉVAI Dániel > PGP key ID = 0x83B63A8F > Key fingerprint = DBEC C66B A47A DFA2 792D 650C C69B BE4C 83B6 3A8F
