On Sun, 22 Dec 2002 23:24:57 -0500, Michael Lucas wrote: > So, above, the SSH rule is hit and is used. > > Now I go to the SSH rule, and I add the ToS field like so: > > pass out inet proto tcp from ($ExtIf) to any port 22 keep state tos 0x10 queue ssh > > Per various documentation I've read, this is the ToS for an > interactive SSH session. The rest of the rules remain unchanged.
Well, very limited testing indicates that ssh sets the type of service after the connection is made. In particular, tos is *not* set in the initial SYN packet, thus your rule is not matched. scp and sftp don't set tos early, either. It seems to me that ssh is not doing the right thing here; it should determine the type of service that it will use and set it before it sends the first SYN. -- Kyle R. Hofmann <[EMAIL PROTECTED]>
