From owner-freebsd-questions@FreeBSD.ORG  Tue Nov 15 20:10:48 2005
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id B0D7A16A420
	for <freebsd-questions@freebsd.org>;
	Tue, 15 Nov 2005 20:10:48 +0000 (GMT) (envelope-from dick@nagual.st)
Received: from nagual.st (cc20684-a.assen1.dr.home.nl [82.74.2.186])
	by mx1.FreeBSD.org (Postfix) with ESMTP id EA3A143D46
	for <freebsd-questions@freebsd.org>;
	Tue, 15 Nov 2005 20:10:47 +0000 (GMT) (envelope-from dick@nagual.st)
Received: from arwen.nagual.st (arwen.nagual.st [192.168.11.29])
	by nagual.st with esmtp; Tue, 15 Nov 2005 21:10:44 +0100
	id 0003982F.437A40C4.0000FFEC
Date: Tue, 15 Nov 2005 21:10:45 +0100
From: dick hoogendijk <dick@nagual.st>
To: fbsdq <freebsd-questions@freebsd.org>
Message-Id: <20051115211045.ecf4e043.dick@nagual.st>
Organization: de nagual
X-Mailer: Sylpheed version 2.1.6 (GTK+ 2.8.6; i386-portbld-freebsd6.0)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Subject: pf synproxy state
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Nov 2005 20:10:48 -0000

I have a pf.conf rule:

pass in on $ext_if proto tcp from any to $server port 80 \
   flags S/SA synproxy state

It should be safer for the webserver (so they say)..

But after a few hours of no connection I began to wonder and changed
the "synproxy state" back to "keep state" (things started to work
again).

I googled and found msgs about a non working synproxy on 5.x, but 6.0
should work (they say).

Has anybody some experience in this matter?
Does synproxy work?
Do I do something wrong? (overlooked something)?

-- 
dick -- http://nagual.st/ -- PGP/GnuPG key: F86289CE
++ Running FreeBSD 6.0 ++ The Power to Serve
+ Nai tiruvantel ar vayuvantel i Valar tielyanna nu vilja