I've just tested with "block return" instead of "block drop".
The result is the same. In fact, in man pf.conf I see:
max number
Limits the number of concurrent states the rule may create.
When this limit is reached, further packets that would create
state are dropped until existing states time out.
When a second client tries to connect, relayd sends a SYN
to port 10104. The packet is dropped but relayd creates a state
(state2), because it doesn't receive a TCP RST.
When the first client disconnects, and tries to reconnect, PF drops
the SYN because state2 already exists.
Connection is possible only when the state2 is destroyed, after
a timeout (30 or 45 seconds, I guess).
It seems that 1) PF can't be configured to send back a TCP RST with (max X)
option.
On the other hand, 2) relayd cannot limit the number of relays to a
specific host.
I would like to ask if it's possible to implement 1) or 2).
2) would be the best option, in my opinion it is cleaner than 1).
Thanks anyway, regards
Il giorno lun 11 dic 2023 alle ore 09:49 Stuart Henderson <
s...@spacehopper.org> ha scritto:
> Seems like you might want to use "return" on your block rule.
>
> --
> Sent from a phone, apologies for poor formatting.
>
>
> On 10 December 2023 20:15:36 Luca Di Gregorio <luc...@gmail.com> wrote:
>
> Hi, in my /etc/pf.conf I have the line:
>> set skip on lo
>> That is why the rules of my previous email don't work.
>>
>> If I comment
>> # set skip on lo
>> the rules work, but the ... keep state (max 1) drops the SYN of the second
>> connection,
>> so the session in relayd is not closed immediately.
>>
>> Does anyone know if, with any other option in the specific rule of PF,
>> is possible to reject the SYN, with a TCP RST?
>>
>> Anyway, I miss the possibility to set, in /etc/relayd.conf, the max number
>> of active relays to a specific host.
>> If I'm not wrong, other relays (HAProxy) have this option available.
>>
>>
>>
>> Il giorno dom 10 dic 2023 alle ore 12:25 Luca Di Gregorio <
>> luc...@gmail.com>
>> ha scritto:
>>
>> # uname -a
>>> OpenBSD XXX.my.domain 7.4 GENERIC#0 amd64
>>>
>>> I need to allow only one connection to an application from relayd.
>>>
>>> # cat /etc/relayd.conf
>>> table <xxx> { lo }
>>> http protocol xxx_https {
>>> tls keypair yyy.zzz.org
>>> tcp nodelay
>>> }
>>> relay xxx {
>>> listen on 0.0.0.0 port 10004 tls
>>> protocol xxx_https
>>> forward to <xxx> port 10104 check icmp
>>> }
>>>
>>> I don't see in man relayd.conf any option to set the max number of relays
>>> to a host in a table.
>>>
>>> So, I tried to put the limit on PF
>>>
>>> # pfctl -s rules:
>>> ...
>>> block drop in inet proto tcp from 127.0.0.1 to 127.0.0.1 port = 10104
>>> pass in inet proto tcp from 127.0.0.1 to 127.0.0.1 port = 10104 flags
>>> S/SA
>>> keep state (max 1)
>>> ...
>>>
>>> But, with this configuration, the second (and the third, and the fourth,
>>> ...) connection to port 10004
>>> is forwarded to 10104 without any filter applied by PF.
>>>
>>> Am I missing something, or is it a bug of PF?
>>>
>>>
>>>
>
