[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freebsd-pf
Subject:    Re: Blocking SYN with data
From:       "Kristof Provost" <kristof () sigsegv ! be>
Date:       2019-12-27 17:42:57
Message-ID: 5DA4A228-98D3-4F96-978F-D36BEEA8617B () sigsegv ! be
[Download RAW message or body]

On 26 Dec 2019, at 1:13, Özkan KIRIK wrote:
> Hi,
>
> I want to block SYN with data packets.
> I read the pf.conf manual, but couldn't find a clear way to do this.
>
> Is it possible to match packets greater then N bytes using pf on 
> FreeBSD
> 12.1 stable?

There isn't a way to express this in pf right now.

> Does synproxy state or modulate state perform this operation?
>
I've had a quick look at the code, and I'm somewhat surprised to 
find that pf doesn't stop this by default. There may be good reasons 
for this, or perhaps it's not considered to be a problem (i.e. it 
doesn't happen often, and host stacks discard it anyway).
I've not gone through the sync-proxy code flow, but I'd expect that 
to prevent this from happening.

Why are you concerned about it?

Best regards,
Kristof
_______________________________________________
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"

[prev in list] [next in list] [prev in thread] [next in thread]