On Tue, Dec 13, 2005 at 03:12:12PM +0100, Németh Tamás wrote: > With PF: > hping -c 1 -s 60002 -S -p 22 1.2.3.4 > 14:16:48.379903 00:0c:f1:6b:31:d9 > 00:e0:18:c4:b7:68, ethertype IPv4 > (0x0800), length 54: IP 1.2.3.5.60002 > 1.2.3.4.22: S > 1809653489:1809653489(0) win 512 > 14:16:48.381907 00:e0:18:c4:b7:68 > 00:0c:f1:6b:31:d9, ethertype IPv4 > (0x0800), length 60: IP 1.2.3.4.22 > 1.2.3.5.60002: S > 3965240421:3965240421(0) ack 1809653490 win 16384 <mss 1460> > 14:16:48.381918 00:0c:f1:6b:31:d9 > 00:e0:18:c4:b7:68, ethertype IPv4 > (0x0800), length 54: IP 1.2.3.5.60002 > 1.2.3.4.22: R > 1809653490:1809653490(0) win 0 > > hping -c 1 -s 60002 -S -p 22 1.2.3.4 > 14:16:49.545931 00:0c:f1:6b:31:d9 > 00:e0:18:c4:b7:68, ethertype IPv4 > (0x0800), length 54: IP 1.2.3.5.60002 > 1.2.3.4.22: S 432383509:432383509(0) > win 512
Try hping -M to use a constant initial sequence number (ISN) across both invokations, then it should work. If invokations are not expected to be several seconds apart, you probably don't want pf to purge the state in between. Insertion and removal of state entries is costly, if you set pf up to insert a state for every single SYN and remove one for every single RST, you're exposing yourself to a DoS attack where an attacker floods you with SYNs and RSTs like that. Daniel