From owner-freebsd-pf@FreeBSD.ORG Thu Jul 29 02:59:22 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C5758106566C for ; Thu, 29 Jul 2010 02:59:22 +0000 (UTC) (envelope-from justin@sk1llz.net) Received: from sed.awknet.com (sed.awknet.com [69.42.208.18]) by mx1.freebsd.org (Postfix) with ESMTP id B2C888FC0C for ; Thu, 29 Jul 2010 02:59:22 +0000 (UTC) Received: from [192.168.1.64] (99-118-214-35.lightspeed.irvnca.sbcglobal.net [99.118.214.35]) by sed.awknet.com (Postfix) with ESMTP id 6083510824B1; Thu, 29 Jul 2010 02:59:22 +0000 (UTC) Message-ID: <4C50EE88.3010206@sk1llz.net> Date: Wed, 28 Jul 2010 19:59:20 -0700 From: Justin User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.11) Gecko/20100711 Thunderbird/3.0.6 MIME-Version: 1.0 To: freebsd-pf@freebsd.org, misc@openbsd.org References: <4C509A99.4030305@sk1llz.net> In-Reply-To: <4C509A99.4030305@sk1llz.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: Re: pf synproxy X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Jul 2010 02:59:22 -0000 Confirmed - synproxy works great if the synproxy machine is the default gateway for the end host. Sadly this means scalability (adding multiple synproxy boxes) is not possible, nor is it possible to filter a specific IP out of the end machines ranges. Perhaps I'm shooting for the moon here - but shouldn't it be possible to have a machine validate a remote host to be real and then create a state to simply permit all traffic from it to pass without additional filtering? Thus no breaking of packets and allowing the remote host to respond directly? On 7/28/2010 2:01 PM, Justin wrote: > > > Ahh. That explains it then. I was operating under the assumption > that the machine doing the synproxy would forge the reply such that > the TARGET host would reply to the synproxy box, not its default gateway. > > As in 1.2.3.4 request to client 5.5.5.5 via -> 2.3.4.5, forged 2.3.4.5 > request to 5.5.5.5, 5.5.5.5 replies to 2.3.4.5, 2.3.4.5 no long > proxies state and allows 1.2.3.4 and 5.5.5.5 to talk to each other > directly. > > The topology is as such: > > internet - switch -> em0 | pf | em1 -> switch -> client > \--------------------------/ > > So the clients default gateway out is the switch, which doesn't send > all traffic back over the PF machine. From what you've described, the > PF synproxy box would literally have to be inline and the default > gateway. > > internet - em0 | pf | em1 -> client > > Is this the case? > >