[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pf blocks ACK response

To: gustavo@shoptime.com (Luiz Gustavo)
Subject: Re: pf blocks ACK response
From: Darren Reed <avalon@coombs.anu.edu.au>
Date: Thu, 21 Mar 2002 10:53:15 +1100 (Australia/ACT)
Cc: misc@openbsd.org

In some mail from Luiz Gustavo, sie said:
> 
> On Thu, Mar 21, 2002 at 09:47:27AM +1100, Darren Reed wrote:
> 
> > > > block return-rst in quick proto tcp from 148.223.71.252/32 to any
> > > 
> > > I tired this, doesn't work, but don't understand what is behind it. What
> > > is the point in blocking something that is already not allowed through pf?
> > 
> > The point of that rule is the "return-rst".  It would need to be towards
> > the top of your rules, before any others which might cause it not to be
> > matched.  At least so adding it made it work with ipf.
> 
>  Why not...
> 
>  block return-rst in proto tcp from 148.223.71.252/32 to any flags S

Because the other end is sending a plain ACK packet (not SYN) and that
rule won't match those packets ?

Darren

References:
- Re: pf blocks ACK response
  - From: Luiz Gustavo <gustavo@shoptime.com>

Prev by Date: Re: pf does not pass esp?
Next by Date: Re: pf blocks ACK response
Prev by thread: Re: pf blocks ACK response
Next by thread: Re: pf blocks ACK response
Index(es):
- Date
- Thread