[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

synproxy rule not matching any packets after upgrade from FreeBSD 5.4-R to 6.0-R

i'm having a strange problem with my pf setup. i've upgraded my FreeBSD
router from 5.4-R to 6.0-R and rules, which were previously working as
normal, stopped functioning.
i had a rule like that:
pass in quick on rl0 inet proto tcp from any to port = ssh flags S/SA synproxy state (max 200, source-track rule, max-src-states 5) queue ssh
when i connected to that port, threeway handshake was completed, but
pfctl -vvsr didn't show any packets or bytes matching that rule. after
switching from 'synproxy state' to 'keep state', it started working as
usual. now i'm confused.
any hints?
Stanisław Halik, http://tehran.lain.pl