Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 1 Apr 2005 14:18:15 -0800 (PST)
From:      LukeD@pobox.com
To:        freebsd-questions@freebsd.org
Subject:   pf synproxy and fragments
Message-ID:  <20050401140521.V2111@border.crystalsphere.multiverse>

next in thread | raw e-mail | index | archive | help

I'm running 5.3 stable.
I've recently switched from ipfilter to pf to take advantage of the 
traffic shaping, and I've run into something I don't understand.

I read the documentation on the synproxy option and it sounded good to me, 
so I replaced my "keep state" rules with "synproxy state".

After doing this, I noticed that my filesharing programs stopped 
downloading.  I switched back to "keep state" for the rules that handled 
my filesharing traffic and the problem went away.

Today my brother called and told me that he couldn't get to my website 
anymore because his firewall said that my http service was sending a 
"fragment attack".  I replaced "synproxy state" with "keep state" for the 
rules pertaining to httpd and the problem went away.

Specifically, the http traffic rule was (formatted):
pass in quick on $ext_if proto tcp from any to any port 80 flags S/SAFR 
synproxy state queue(http_out,ack_out)

Having tried a few other firewalls in the past, I know that some of them 
don't like fragmented packets at all.

This week's events make me believe that pf's synproxy option is causing my 
server to send out fragments, and those fragments aren't well-received. 
Is this normal with synproxy?  Am I misusing synproxy?  Is this just a 
coincidence?

Luke Dean



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050401140521.V2111>