Date: Fri, 1 Apr 2005 14:18:15 -0800 (PST) From: LukeD@pobox.com To: freebsd-questions@freebsd.org Subject: pf synproxy and fragments Message-ID: <20050401140521.V2111@border.crystalsphere.multiverse>
next in thread | raw e-mail | index | archive | help
I'm running 5.3 stable. I've recently switched from ipfilter to pf to take advantage of the traffic shaping, and I've run into something I don't understand. I read the documentation on the synproxy option and it sounded good to me, so I replaced my "keep state" rules with "synproxy state". After doing this, I noticed that my filesharing programs stopped downloading. I switched back to "keep state" for the rules that handled my filesharing traffic and the problem went away. Today my brother called and told me that he couldn't get to my website anymore because his firewall said that my http service was sending a "fragment attack". I replaced "synproxy state" with "keep state" for the rules pertaining to httpd and the problem went away. Specifically, the http traffic rule was (formatted): pass in quick on $ext_if proto tcp from any to any port 80 flags S/SAFR synproxy state queue(http_out,ack_out) Having tried a few other firewalls in the past, I know that some of them don't like fragmented packets at all. This week's events make me believe that pf's synproxy option is causing my server to send out fragments, and those fragments aren't well-received. Is this normal with synproxy? Am I misusing synproxy? Is this just a coincidence? Luke Dean
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050401140521.V2111>