From owner-freebsd-pf@FreeBSD.ORG Wed Feb 9 18:45:11 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B806816A4CE for ; Wed, 9 Feb 2005 18:45:11 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.187]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0791343D1F for ; Wed, 9 Feb 2005 18:45:11 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.161] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1Cywpq-0002ti-00; Wed, 09 Feb 2005 19:45:10 +0100 Received: from [217.227.147.152] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1Cywpo-00074A-00; Wed, 09 Feb 2005 19:45:10 +0100 From: Max Laier To: freebsd-pf@freebsd.org Date: Wed, 9 Feb 2005 19:44:40 +0100 User-Agent: KMail/1.7.2 References: <20050209131055.GA94001@mail.crypta.net> In-Reply-To: <20050209131055.GA94001@mail.crypta.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2006107.KzJc7PKIdS"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200502091945.01577.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 Subject: Re: problems with synproxy on 5.3-stable X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Feb 2005 18:45:11 -0000 --nextPart2006107.KzJc7PKIdS Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Wednesday 09 February 2005 14:10, Andy Hilker wrote: > Hi, > > i have migrated from ipfilter to pf and have problems with synproxy. > First: many thanks for importing pf to freebsd :) > > pf protects only localhost with multiple IPs and jails. There is > only 1 outside interface. > > When i use "keep state" everything works normally. If using synproxy > a few people having problems accessing pop3 and http on my server. > Requests are incomplete or corrupt (for example get requests in > httpd-access.log). But it seems that this problem occurs only for > a few people. > > Is there any way to "count" or monitor the activity of synproxy to > see how much clients are blocked? > Any ideas why synproxy does not work at this "few peoples"? Not really, but tcpdump can help. Add log-all to the synproxy and try to=20 watch the connection in tcpdump on pflog0 with something like: $tcpdump -n -e -ttt -i pflog0 rulenum and host "testip" You might also want to raise the debugging level with "$pfctl -x misc" and= =20 watch the console for BAD state messages. Keep us posted, thanks. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart2006107.KzJc7PKIdS Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQBCClotXyyEoT62BG0RArnBAJ9aymyFn/+5/n+ZQmvk1/nnCZzPOgCfTZGD D5cQx+Ur2RH1StKVa2+c7ks= =mH/l -----END PGP SIGNATURE----- --nextPart2006107.KzJc7PKIdS--