>> Stateful inspection on gateway can hamper tcp-connections, when >> inbound or outbound packets goes another route (i.e. when one of >> directions not goes thru gateway).
kpo> well, yeah. How is a firewall supposed to deduce state if it doesn't kpo> see any replies? psychic deduction? You, totally, miss my point. I don't asking question, why PF behave this way. I am programmer, and I guess, can understand it enough. Only thing I want to do - just to notify PF developers and users, that stateful inspection seems to does not applicable for cases with asymmetric routing. >> Connection works fine on low rate, but fast transfers stops on >> each 64K (because suddenly PF stops passing packets). >> >> I guess, it is not bug, just some feature (like some >> tcp-window-related state protection). So think, is there reasons to >> correct this PF behavior. found something on man --------------8<--- man pf.conf ---8<------------- This has several advantages. Comparing a packet to a state involves checking its sequence numbers. If the sequence numbers are outside the narrow windows of expected values, the packet is dropped. This prevents spoofing attacks, such as when an attacker sends packets with a fake source address/port but does not know the connection's sequence numbers. --------------8<--- man pf.conf ---8<------------- kpo> Correct? If you can design a prescient packet filter, then more kpo> power to you. In general, prescience is hardware problem :) Seriously, there are couple of things can be done for solving such case, w/o prescience. Of course, ONLY if developers think that it's important enough. For example, it is posible, to make PF smart enough to detect asymmetric routing and turn off checks, that cannot be performed on such states. Or make ability to select more "light" inspection mode for such cases (w/ postfix like "keep light-state" :). Anyway, I can't and do not try to decide something for developers. Ilya A. Kovalenko (mailto:[EMAIL PROTECTED]) S.A. SpeciaEQ SW section JSC Oganer-Service
