Date: Fri, 27 Dec 2019 18:42:57 +0100 From: "Kristof Provost" <kristof@sigsegv.be> To: "=?utf-8?q?=C3=96zkan?= KIRIK" <ozkan.kirik@gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: Blocking SYN with data Message-ID: <5DA4A228-98D3-4F96-978F-D36BEEA8617B@sigsegv.be> In-Reply-To: <CAAcX-AHztSKjmu7SUEanDUwWMLop4QNGvmdFxdOBrb=F9yphew@mail.gmail.com> References: <CAAcX-AHztSKjmu7SUEanDUwWMLop4QNGvmdFxdOBrb=F9yphew@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 26 Dec 2019, at 1:13, Özkan KIRIK wrote: > Hi, > > I want to block SYN with data packets. > I read the pf.conf manual, but couldn't find a clear way to do this. > > Is it possible to match packets greater then N bytes using pf on > FreeBSD > 12.1 stable? There isn’t a way to express this in pf right now. > Does synproxy state or modulate state perform this operation? > I’ve had a quick look at the code, and I’m somewhat surprised to find that pf doesn’t stop this by default. There may be good reasons for this, or perhaps it’s not considered to be a problem (i.e. it doesn’t happen often, and host stacks discard it anyway). I’ve not gone through the sync-proxy code flow, but I’d expect that to prevent this from happening. Why are you concerned about it? Best regards, Kristof
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5DA4A228-98D3-4F96-978F-D36BEEA8617B>