From owner-freebsd-pf@FreeBSD.ORG Thu Jul 29 08:27:14 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B1FBB1065679 for ; Thu, 29 Jul 2010 08:27:14 +0000 (UTC) (envelope-from denis.doroshenko@gmail.com) Received: from mail-ww0-f50.google.com (mail-ww0-f50.google.com [74.125.82.50]) by mx1.freebsd.org (Postfix) with ESMTP id 48D878FC1C for ; Thu, 29 Jul 2010 08:27:13 +0000 (UTC) Received: by wwa36 with SMTP id 36so65686wwa.31 for ; Thu, 29 Jul 2010 01:27:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=aXLuuUp2o4dYQw0D/QbOskzq9Qbdat+vwCVEOC24GWQ=; b=RfSUnHYTL+yvsCf08pQy8OAglgV5KS4EjKXuIXVnDGuD3okFUJzJ99w+OOkBy6UzTm 0qiA1gDR3zAAAAimoMAX3bRkshZh//sCjVCXFdz1ljLVnSax6Xv/zTpQ+l/2Ek1y3vLZ lMnkRU6rLIQ5D7vQt7gquHUD8C8qiGiTTGpP0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=fkHx81h830IHV0KZKmJRxAl3pmKX56sPuWa9OSvp/e0TBpzalj6EtabUFG3fs6vs4Z 28A1vabeiKYZZ8tbD7xTDOhGBxzoX09Ecs/LhEWFW8pXO9Y/Wp1T5KIJE7T0pLp7BkOU QrbfAQ3O1lZHvgrj2Lejq/OpOYSfvXnfQlVgs= MIME-Version: 1.0 Received: by 10.227.27.209 with SMTP id j17mr11720408wbc.88.1280390465482; Thu, 29 Jul 2010 01:01:05 -0700 (PDT) Received: by 10.227.132.1 with HTTP; Thu, 29 Jul 2010 01:01:05 -0700 (PDT) In-Reply-To: <20100729053745.GC13817@countersiege.com> References: <4C509A99.4030305@sk1llz.net> <4C50EE88.3010206@sk1llz.net> <20100729053745.GC13817@countersiege.com> Date: Thu, 29 Jul 2010 11:01:05 +0300 Message-ID: From: Denis Doroshenko To: Ryan McBride Content-Type: text/plain; charset=UTF-8 Cc: misc@openbsd.org, freebsd-pf@freebsd.org Subject: Re: pf synproxy X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Jul 2010 08:27:14 -0000 On 7/29/10, Ryan McBride wrote: > On Wed, Jul 28, 2010 at 07:59:20PM -0700, Justin wrote: > > Sadly this means scalability (adding multiple synproxy boxes) is not > > possible, ... > synproxy works by completing the 3-way handshake with the source first, > then negotiating a separate 3-way handshake with the client. Because the > negotiations are separate and the two endpoints have no direct knowlege > of each other, there sequence numbers negotiated are different. PF > handles translation between the different sets of sequence numbers, and > has to be man-in-the middle for every packet on the connection in order > to do this translation. maybe the scalability issue raised there may be solved with CARP and pfsync, so there may be two (or more?) gateways?