From owner-freebsd-pf@FreeBSD.ORG  Thu Jun 16 19:10:52 2005
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 643BD16A41C
	for <freebsd-pf@freebsd.org>; Thu, 16 Jun 2005 19:10:52 +0000 (GMT)
	(envelope-from ah@crypta.net)
Received: from mail.crypta.net (mail.crypta.net [83.136.131.3])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 0E02643D49
	for <freebsd-pf@freebsd.org>; Thu, 16 Jun 2005 19:10:51 +0000 (GMT)
	(envelope-from ah@crypta.net)
Received: by mail.crypta.net (cryptobank/eProtect-smtpd, from userid 1001)
	id 422C8ECD419; Thu, 16 Jun 2005 21:10:48 +0200 (CEST)
Date: Thu, 16 Jun 2005 21:10:48 +0200
From: Andy Hilker <ah@crypta.net>
To: freebsd-pf@freebsd.org
Message-ID: <20050616191047.GA98176@mail.crypta.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.4.2.1i
X-PGP-Key: http://wwwkeys.pgp.net:11371/pks/lookup?op=get&search=0xEC6E1071
X-PGP-Fingerprint: 9B2E 5892 AD93 D5C5 FB8E  3912 35D6 951B EC6E 1071
Organization: cryptobank - Andy Hilker
Subject: synproxy and states
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Jun 2005 19:10:52 -0000

Hi,

i have a problem with using synproxy (FreeBSD 5.4 Release p2).

# Client with x.x.x.x do not get an answer with synproxy, keep state works
pass in log quick               proto tcp from x.x.x.x to <public_www> port { 80,443 }  flags S/SA synproxy state
 
# log said
rule 101/0(match): block in on em1: IP webserver.80 > x.x.x.x.3040: S 3694411781:3694411781(0) ack 1964249403 win 65535 <mss 1460>

# but if allow this explicit, client get an answer
pass in log quick on em1        proto tcp from any to any modulate state

What is the recommended way to work with synproxy? I do not want
such rule like the last one. I thought that state entries are the
same with synproxy like keep state.

Topology:

---internet------ fxp0-(box with pf)-em1 --- (webserver)

If it helps I can provide full rule set or any other needed information.

bye,
Andy