From owner-freebsd-pf@FreeBSD.ORG Mon Jul 26 12:46:45 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A019A106564A for ; Mon, 26 Jul 2010 12:46:45 +0000 (UTC) (envelope-from justin@sk1llz.net) Received: from sed.awknet.com (sed.awknet.com [69.42.208.18]) by mx1.freebsd.org (Postfix) with ESMTP id 93EB68FC25 for ; Mon, 26 Jul 2010 12:46:45 +0000 (UTC) Received: from [192.168.1.64] (99-118-214-35.lightspeed.irvnca.sbcglobal.net [99.118.214.35]) by sed.awknet.com (Postfix) with ESMTP id 3ECA4107C9D5 for ; Mon, 26 Jul 2010 12:26:21 +0000 (UTC) Message-ID: <4C4D7EED.4060704@sk1llz.net> Date: Mon, 26 Jul 2010 05:26:21 -0700 From: Justin User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.10) Gecko/20100512 Thunderbird/3.0.5 MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: pf synproxy X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Jul 2010 12:46:45 -0000 Hello all - I've tried searching the list but it seems something is broken and I'm getting 500 errors. Alas, Is there something unique about using synproxy in a gateway style firewall that isn't outlined in the PF manuals? Here's the scenario: Internet -> em0 | pf rules | em1 -> target host. 1.2.3.1/29 on em0, 1.2.4.1/29 on em1, 1.2.5.1/29 on target host. PF rules: set skip on lo0 pass out on em1 pass in on em1 pass out on em0 proto tcp all modulate state pass in on em0 proto tcp from any to any port 80 synproxy state When using synproxy state - the connection never completes. If we change synproxy to keep, everything works fine. Alternately, if the service in question is running locally on the actual firewall itself, I'll see state entries show up in pfctl -s doing a proxy and then passing the connection on to its self - so why doesn't it work in the same manner when passing on to a host behind the machine? I've tried all sorts of variations and skipping processing on internal interface, but I just can't seem to get it to work. All my searching has turned up nothing. I've also tried state-policy if-bound and there appears to be no change. Is this a bug? Have I missed something totally obvious? -Justin