From owner-freebsd-pf@FreeBSD.ORG Fri Dec 5 08:23:14 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 99D2A1065673 for ; Fri, 5 Dec 2008 08:23:14 +0000 (UTC) (envelope-from samflanker@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.188]) by mx1.freebsd.org (Postfix) with ESMTP id 248288FC1A for ; Fri, 5 Dec 2008 08:23:13 +0000 (UTC) (envelope-from samflanker@gmail.com) Received: by nf-out-0910.google.com with SMTP id h3so2372872nfh.33 for ; Fri, 05 Dec 2008 00:23:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=JnUSQwgtLw+J71Hiq0uFzr3XGYXxhY/KEZM+1Mmyuo4=; b=w620ysG3MrddbZ24hLNOmcD7ylls6D24Rdggwy/OeoKq6IUerRwm+NV3o6ScT7uWyJ ILMpRmK8enA5156QuqTLm17S7MTwobPjXIxoWePt0h9LKPv0Bm1n4Ce2fJk4G7zBq42f 3I55PA5U7zxJMaVWm3dV7GRW5U/r6qf8/26BA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; b=GUBJDi3J+Q1hjf+h9jpgpxQGiYIgoxIh4KcrZlCMkgJjRSWPgDCc7DWdeDfC7aasro bW4QNYej8HzZ4gnNUWn5MB0gCFXjXA+HQ/5ScFzWXxB81sPXXIMpasvHxYB4YUaQybqx /2ovc+G5fDkKd/NwwuIDEywDRlTY02gWTqur8= Received: by 10.210.126.18 with SMTP id y18mr11852187ebc.120.1228465392883; Fri, 05 Dec 2008 00:23:12 -0800 (PST) Received: from localhost.localdomain ([213.152.137.42]) by mx.google.com with ESMTPS id 23sm120008eya.57.2008.12.05.00.23.10 (version=SSLv3 cipher=RC4-MD5); Fri, 05 Dec 2008 00:23:11 -0800 (PST) Message-ID: <4938E500.9090805@gmail.com> Date: Fri, 05 Dec 2008 11:23:28 +0300 From: Vladimir Ermakov User-Agent: Thunderbird 2.0.0.18 (X11/20081119) MIME-Version: 1.0 To: Max Laier References: <4937F627.8080602@gmail.com> <200812041647.14049.max@love2party.net> <200812041828.34033.max@love2party.net> In-Reply-To: <200812041828.34033.max@love2party.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: synproxy state does not work on FreeBSD 7.1-PRERELEASE X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Dec 2008 08:23:14 -0000 Max Laier wrote: > On Thursday 04 December 2008 16:47:13 Max Laier wrote: > >> On Thursday 04 December 2008 16:24:23 Vladimir Ermakov wrote: >> >>> problem is fixed in OpenBSD 4.4 >>> http://www.openbsd.org/plus44.html >>> >> The bug this note refers to was introduced after OpenBSD 4.1 (our last >> import) and should not be present in the FreeBSD code. I'll double check >> in a bit to make sure synproxy is working, but I don't think it was broken >> after my last import ... do you have a particular test case that I could >> reproduce? >> > > Okay ... here is the story: First off, "synproxy state" is *NOT* broken! But > you need to be careful how you use it. If you - like the OP - intend to use > it to protect a service running on the same box as your pf, you must make sure > to "set skip on lo0" or it will not work. If you are protecting a box behind > the pf box, there is no need for that. > > Can a `synproxy state` to work on the CARP interface? /Vladimir Ermakov