From owner-freebsd-pf@FreeBSD.ORG Wed May 16 12:15:41 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C2BA01065676 for ; Wed, 16 May 2012 12:15:41 +0000 (UTC) (envelope-from adams-freebsd@ateamsystems.com) Received: from fss.sandiego.ateamservers.com (fss.sandiego.ateamservers.com [69.55.229.149]) by mx1.freebsd.org (Postfix) with ESMTP id A93CC8FC17 for ; Wed, 16 May 2012 12:15:41 +0000 (UTC) Received: from [192.168.15.220] (unknown [118.175.84.92]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by fss.sandiego.ateamservers.com (Postfix) with ESMTPSA id 5ABBCB9066 for ; Wed, 16 May 2012 08:15:34 -0400 (EDT) Message-ID: <4FB39A69.2030706@ateamsystems.com> Date: Wed, 16 May 2012 19:15:37 +0700 From: Adam Strohl Organization: A-Team Systems User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20120428 Thunderbird/12.0.1 MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: PF "synproxy state" doesn't work on CARP IPs X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 May 2012 12:15:41 -0000 Hello, I've noticed that when I use "synproxy state" on a rule and a connection comes in to an IP on a CARP interface the connection opens but never gets passed on to the process as it should. For example: pass in on $ext_if proto tcp from any to any port ssh flags S/SA synproxy state Will work fine if I come in to a non-CARP IP. The connection is accepted and then brokered to SSHd. However on the same machine with the same rule if I come in to a CARP'd IP it connects but hangs (not passed on to SSHd). If I remove the "synproxy state" portion the CARP test case works. I've done a bunch of flipping and testing and it seems that CARP IP + PF rule with "synproxy state" doesn't work -- the connection will be accepted but not passed on like it should. Is this known behaviour? Is there a work around? Anything else anyone wants to know? I've noticed this too: the physical interface seems to "include" the CARP interfaces associated with it. That above rule I pasted applies to the CARP interface even though its specifying "bce0" as the value for $ext_if (vs. a rule for "carp1", etc) Is that normal/expected? I did notice in the docs that "synproxy state" doesn't work with bridge interfaces, is a CARP interface maybe falling into this category? Any input/thoughts appreciated! P.S. Please be sure to CC me, I am not subscribed to the PF mailing list. -- Adam Strohl A-Team Systems http://ateamsystems.com/