Seems like you might want to use "return" on your block rule.
-- Sent from a phone, apologies for poor formatting. On 10 December 2023 20:15:36 Luca Di Gregorio <luc...@gmail.com> wrote:
Hi, in my /etc/pf.conf I have the line: set skip on lo That is why the rules of my previous email don't work. If I comment # set skip on lo the rules work, but the ... keep state (max 1) drops the SYN of the second connection, so the session in relayd is not closed immediately. Does anyone know if, with any other option in the specific rule of PF, is possible to reject the SYN, with a TCP RST? Anyway, I miss the possibility to set, in /etc/relayd.conf, the max number of active relays to a specific host. If I'm not wrong, other relays (HAProxy) have this option available. Il giorno dom 10 dic 2023 alle ore 12:25 Luca Di Gregorio <luc...@gmail.com> ha scritto:# uname -a OpenBSD XXX.my.domain 7.4 GENERIC#0 amd64 I need to allow only one connection to an application from relayd. # cat /etc/relayd.conf table <xxx> { lo } http protocol xxx_https { tls keypair yyy.zzz.org tcp nodelay } relay xxx { listen on 0.0.0.0 port 10004 tls protocol xxx_https forward to <xxx> port 10104 check icmp } I don't see in man relayd.conf any option to set the max number of relays to a host in a table. So, I tried to put the limit on PF # pfctl -s rules: ... block drop in inet proto tcp from 127.0.0.1 to 127.0.0.1 port = 10104 pass in inet proto tcp from 127.0.0.1 to 127.0.0.1 port = 10104 flags S/SA keep state (max 1) ... But, with this configuration, the second (and the third, and the fourth, ...) connection to port 10004 is forwarded to 10104 without any filter applied by PF. Am I missing something, or is it a bug of PF?
