Date: Thu, 16 Jun 2005 21:10:48 +0200 From: Andy Hilker <ah@crypta.net> To: freebsd-pf@freebsd.org Subject: synproxy and states Message-ID: <20050616191047.GA98176@mail.crypta.net>
next in thread | raw e-mail | index | archive | help
Hi,
i have a problem with using synproxy (FreeBSD 5.4 Release p2).
# Client with x.x.x.x do not get an answer with synproxy, keep state works
pass in log quick proto tcp from x.x.x.x to <public_www> port { 80,443 } flags S/SA synproxy state
# log said
rule 101/0(match): block in on em1: IP webserver.80 > x.x.x.x.3040: S 3694411781:3694411781(0) ack 1964249403 win 65535 <mss 1460>
# but if allow this explicit, client get an answer
pass in log quick on em1 proto tcp from any to any modulate state
What is the recommended way to work with synproxy? I do not want
such rule like the last one. I thought that state entries are the
same with synproxy like keep state.
Topology:
---internet------ fxp0-(box with pf)-em1 --- (webserver)
If it helps I can provide full rule set or any other needed information.
bye,
Andy
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050616191047.GA98176>