From owner-freebsd-questions@FreeBSD.ORG Sat Apr 2 23:07:51 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 67BD516A4CE for ; Sat, 2 Apr 2005 23:07:51 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 01F2A43D2F for ; Sat, 2 Apr 2005 23:07:51 +0000 (GMT) (envelope-from j65nko@gmail.com) Received: by wproxy.gmail.com with SMTP id 69so1134544wra for ; Sat, 02 Apr 2005 15:07:50 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=KDTBkw01Wp9f+PEkqCRINbyljqjzfkqkAbxsl06C7CrGeKYzHnnBXTeu5oI9QIT9JLSMwnK6IYYmnlmGip6VYzKZSFJs6nQV3doUIJJtYDYU7CThTg1fcqjtYUn5YYDROaofaN0mQ7bhpeEQRFGCgx6vT/KsEqu5MmTZLsllo1A= Received: by 10.54.18.32 with SMTP id 32mr259505wrr; Sat, 02 Apr 2005 15:07:50 -0800 (PST) Received: by 10.54.37.42 with HTTP; Sat, 2 Apr 2005 15:07:49 -0800 (PST) Message-ID: <19861fba05040215079a567db@mail.gmail.com> Date: Sun, 3 Apr 2005 01:07:49 +0200 From: J65nko BSD To: LukeD@pobox.com In-Reply-To: <20050401140521.V2111@border.crystalsphere.multiverse> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit References: <20050401140521.V2111@border.crystalsphere.multiverse> cc: freebsd-questions@freebsd.org Subject: Re: pf synproxy and fragments X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: J65nko BSD List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 02 Apr 2005 23:07:51 -0000 On Apr 2, 2005 12:18 AM, LukeD@pobox.com wrote: > > I'm running 5.3 stable. > I've recently switched from ipfilter to pf to take advantage of the > traffic shaping, and I've run into something I don't understand. > > I read the documentation on the synproxy option and it sounded good to me, > so I replaced my "keep state" rules with "synproxy state". > > After doing this, I noticed that my filesharing programs stopped > downloading. I switched back to "keep state" for the rules that handled > my filesharing traffic and the problem went away. > > Today my brother called and told me that he couldn't get to my website > anymore because his firewall said that my http service was sending a > "fragment attack". I replaced "synproxy state" with "keep state" for the > rules pertaining to httpd and the problem went away. > > Specifically, the http traffic rule was (formatted): > pass in quick on $ext_if proto tcp from any to any port 80 flags S/SAFR > synproxy state queue(http_out,ack_out) > > Having tried a few other firewalls in the past, I know that some of them > don't like fragmented packets at all. > > This week's events make me believe that pf's synproxy option is causing my > server to send out fragments, and those fragments aren't well-received. > Is this normal with synproxy? Am I misusing synproxy? Is this just a > coincidence? > In http://archives.neohapsis.com/archives/openbsd/2005-03/2760.html somebody reported a similar problem. Maybe you could try his "solution" by leaving out "flags S/SAFR" =Adriaan=