From owner-freebsd-pf@FreeBSD.ORG Mon Jul 26 15:48:52 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id ECA901065674 for ; Mon, 26 Jul 2010 15:48:52 +0000 (UTC) (envelope-from andrei.manescu@ivorde.ro) Received: from mail.ivorde.ro (mail.ivorde.ro [82.76.71.249]) by mx1.freebsd.org (Postfix) with ESMTP id 3AC548FC1D for ; Mon, 26 Jul 2010 15:48:51 +0000 (UTC) Comment: DomainKeys? See http://domainkeys.sourceforge.net/ DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=ivorde.ro; b=XfcpfYZHedlB+z7On3FMUIcGZmc6GdUizwahrPsiFiCR5psBQgfOAcg3xXvcq/M64K7eJCjsfbIUiXMyBDxv+nyBMgfc2c6Fupa95NIYwk047g+y+OAGKG3ae5Ni3Jlr; h=Received:Received:Received:Message-ID:In-Reply-To:References:Date:Subject:From:To:Cc:User-Agent:MIME-Version:Content-Type:Content-Transfer-Encoding; DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=ivorde.ro; h=message-id :in-reply-to:references:date:subject:from:to:cc:mime-version :content-type:content-transfer-encoding; s=default; bh=bnuytU4ef +eJm13ubVHY16cWx30=; b=i9jHFWxsb80Nn1bEAIedKRML+FFMunNXXUsAIjVq+ OBDzXR/DbMOtaQkZY8DD/zUEvIta1UuKN2SojIgrcHVrTe4lbly8qIfky7OMvkqv sIWvCc2o1hyR3PHVIJQER5u Received: (qmail 46384 invoked by uid 1001); 26 Jul 2010 18:22:09 +0300 Received: from mail.ivorde.ro (192.168.1.11) by mail.ivorde.ro with SMTP; 26 Jul 2010 18:22:09 +0300 Received: from 193.110.48.4 (SquirrelMail authenticated user andrei.manescu@ivorde.ro) by mail.ivorde.ro with HTTP; Mon, 26 Jul 2010 18:22:09 +0300 Message-ID: In-Reply-To: <4C4DA384.8030504@sk1llz.net> References: <4C4D7EED.4060704@sk1llz.net> <20100726140545.GB72163@mail.hs.ntnu.edu.tw> <4C4DA384.8030504@sk1llz.net> Date: Mon, 26 Jul 2010 18:22:09 +0300 From: "Andrei Manescu - Ivorde" To: "Justin" User-Agent: SquirrelMail/1.5.2 [SVN] MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit Cc: freebsd-pf@freebsd.org Subject: Re: pf synproxy X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Jul 2010 15:48:53 -0000 On Mon, July 26, 2010 6:02 pm, Justin wrote: > ... it's not an if_bridge, thanks. > > > On 7/26/2010 7:05 AM, Denny Lin wrote: > >> On Mon, Jul 26, 2010 at 05:26:21AM -0700, Justin wrote: >> >> >>> Hello all - I've tried searching the list but it seems something is >>> broken and I'm getting 500 errors. Alas, >>> >>> Is there something unique about using synproxy in a gateway style >>> firewall that isn't outlined in the PF manuals? Here's the scenario: >>> >>> Internet -> em0 | pf rules | em1 -> target host. >>> >>> >> Synproxy does not work when on bridges. >> >> >> From pf.conf(5): >> Rules with synproxy will not work if pf(4) operates on a if_bridge(4). >> >> >> > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > If it helps, you're not the only one with issues. Synproxy is not for general fw use IMHO. I.e.: a friend is running a high traffic website and synproxy slows down the packet flow. Another example, if I remember correctly, is that it doesn't work with packet tagging, another one just mentioned, doesn't work with if_bridge... I gave up on it long time ago (on FreeBSD 6). (of course, everything is subject to different factors, like hw). You could, instead, try ftp-proxy which works great with pf and passive ftp (I really can't say how effective is it against a syn flood, but you can test it). Synproxy is a great addition to pf but, unfortunately, it doesn't lack of bugs.