On Mon, Jan 12, 2004 at 08:09:29PM -0800, Peter Hessler wrote: > Without synproxy, the client attempts to connect to the server, gets denied, > and fails-over to IPv4. With synproxy, it just stays on the IPv6 address, > but nothing is listening. Is this expected behaivor? Am I just being > silly?
The whole point of the syn proxy is defering handshake with the server until the client has completed its handshake with the proxy. So, the handshake with the client will be done before it is known whether there is any server listening. I guess the proxy could react to an RST during handshake with the server, but that wouldn't help in your case, as the IPv6 connection was already established (it would just get reset immediately afterwards, not triggering an IPv4 retry in the client). > # sudo pfctl -sr > pass in proto tcp all synproxy state Why pass everything, and not just the ports you have servers running? The obvious solution is to block (with return-rst) inet6 proto tcp to port 110. If you don't run an IPv6 server on port 110, why pass packets and create state? Watch what happens when you nmap -sT that box from the outside, probably not what you want, either ;) Daniel
