Hi, in my /etc/pf.conf I have the line:
set skip on lo
That is why the rules of my previous email don't work.
If I comment
# set skip on lo
the rules work, but the ... keep state (max 1) drops the SYN of the second
connection,
so the session in relayd is not closed immediately.
Does anyone know if, with any other option in the specific rule of PF,
is possible to reject the SYN, with a TCP RST?
Anyway, I miss the possibility to set, in /etc/relayd.conf, the max number
of active relays to a specific host.
If I'm not wrong, other relays (HAProxy) have this option available.
Il giorno dom 10 dic 2023 alle ore 12:25 Luca Di Gregorio <luc...@gmail.com>
ha scritto:
> # uname -a
> OpenBSD XXX.my.domain 7.4 GENERIC#0 amd64
>
> I need to allow only one connection to an application from relayd.
>
> # cat /etc/relayd.conf
> table <xxx> { lo }
> http protocol xxx_https {
> tls keypair yyy.zzz.org
> tcp nodelay
> }
> relay xxx {
> listen on 0.0.0.0 port 10004 tls
> protocol xxx_https
> forward to <xxx> port 10104 check icmp
> }
>
> I don't see in man relayd.conf any option to set the max number of relays
> to a host in a table.
>
> So, I tried to put the limit on PF
>
> # pfctl -s rules:
> ...
> block drop in inet proto tcp from 127.0.0.1 to 127.0.0.1 port = 10104
> pass in inet proto tcp from 127.0.0.1 to 127.0.0.1 port = 10104 flags S/SA
> keep state (max 1)
> ...
>
> But, with this configuration, the second (and the third, and the fourth,
> ...) connection to port 10004
> is forwarded to 10104 without any filter applied by PF.
>
> Am I missing something, or is it a bug of PF?
>
>
