‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Friday, December 18, 2020 6:13 PM, Stuart Henderson <s...@spacehopper.org> wrote:
> And if it's anything like when I try it, you'll see some TCP connections > failing when it is active too. Not everything fails. but e.g. if I have > "set syncookies always" on a router, and run "ftp -o- > http://www.facebook.com/" > from a machine behind it, it fails every time (it appears to connect > immediately, but of course that's just syncookies - I never get a response > after making a request over it until I disblae syncookies again). > In that case where syncookies are active but things are failing I see > PROXY and SYN_SENT states in pfctl -ss e.g. > > all tcp 157.240.221.35:80 <- 82.68.199.130:16476 PROXY:DST > all tcp 82.68.199.130:16476 -> 157.240.221.35:80 SYN_SENT:CLOSED > > So I strongly recommend trying it with 'always' and see if things are > broken for you. Otherwise if you set 'adaptive' you may get an unpleasant > surprise sometime maybe much later when they do actually trigger. Thanks for the tip. I just tried it on my OpenSD 6.7 firewall at home and exactly as you say I can't connect to facebook.com anymore (same for instagram.com). This is really weird, do you have any idea why? Is it a bug in the implementation of syncookies in OpenBSD or facebook.com doing weird things with TCP?