On Tue, Dec 13, 2005 at 03:12:12PM +0100, Németh Tamás wrote: > I have tried what you said, and I experienced that, when pf was not enabled, > then everything went fine (I couldn't see any connection in TIME_WAIT state > with netstat -n (I think the state was removed pretty fast). > Could you explain to me, why this happened?
Ah, you're not actually completing the handshake, but sending the RST instead of the the ACK. I guess the recipient stack immediately purges the TCP control block in that case. I'm not sure if this is strictly following the TCP RFC or just an optimization to safe memory during SYN floods. Either way, pf will still keep the state around until the default timeout has expired. If you don't like that, you can reduce the timeout (pfctl -st) to expire the state earlier. The client is clearly misbehaving in your case (re-using the address/port quadruple before the MSL quiet period has passed). Sending a SYN without the intention of completing the handshake is a cute trick at best (and an attack at worst), and you can't expect an uptime probe to work like that, in general. :) Daniel
