Date: Tue, 8 Apr 2008 00:37:41 +0100 From: "Torsten @ CNC-LONDON" <torsten@cnc-london.net> To: <freebsd-pf@freebsd.org> Subject: RE: SSH Session disconnecting with pf Message-ID: <004201c89908$5fe06a30$1fa13e90$@net> In-Reply-To: <1207610249.32218.143.camel@kensho.c7.ca> References: <003801c898fb$16a897a0$43f9c6e0$@net> <20080407230750.GA15720@eos.sc1.parodius.com> <1207610249.32218.143.camel@kensho.c7.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi All Thank you very much for the comments. This may explain some VPN issues I had in the past as well. Regards Torsten -----Original Message----- From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd-pf@freebsd.org] On Behalf Of Elliott Perrin Sent: 08 April 2008 00:17 To: freebsd-pf@freebsd.org Subject: Re: SSH Session disconnecting with pf See Below On Mon, 2008-04-07 at 16:07 -0700, Jeremy Chadwick wrote: > On Mon, Apr 07, 2008 at 11:02:33PM +0100, Torsten @ CNC-LONDON wrote: > > I'm running FreeBSD stable6.2 on all my servers and in the past one year I > > notices a random disconnection of persistent sessions to and from servers > > with is running as PF the firewall > > The big problem with your rules looks to be how you're determining SYN, > and how you're using keep state. > > Below are some comments. > > > SYN_ONLY="S/FSRA" > > This is very, very wrong, and probably the cause of your issues. This > should be S/SA. That is not very very wrong. Any TCP session starting up should only have the SYN flag set out of SYN FIN ACK RST. As a matter of fact this is in theory a more secure setting than S/SA (SYN out of SYN ACK). Cheers, Elliott Perrin elliott@c7.ca _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?004201c89908$5fe06a30$1fa13e90$>