problems with synproxy on 5.3-stable

Max Laier max at love2party.net
Wed Feb 9 14:11:24 PST 2005 

On Wednesday 09 February 2005 22:58, Andy Hilker wrote:
> You (Max Laier) wrote:
> > Not really, but tcpdump can help.  Add log-all to the synproxy and try to
> > watch the connection in tcpdump on pflog0 with something like:
> > $tcpdump -n -e -ttt -i pflog0 rulenum <rule#> and host "testip"
> >
> > You might also want to raise the debugging level with "$pfctl -x misc"
> > and watch the console for BAD state messages.
>
> Ok, i modified my ruleset like this:
>
>  [...]
>  set loginterface $if_ext

That does not matter here.  It only affects $pfctl -si

>  [...]
>  pass in log quick on $if_ext proto tcp from           any to <www_servers>
           ^^^
Change this to "log-all" in order to get the full transaction log on pflog.  
If you happen to know a "known bad"-peer you can also split the rule as:

pass in log-all quick on $if_ext proto tcp from $bad_peer to <www_servers> \
    port = 80 flags S/SA synproxy state
pass in         quick on $if_ext proto tcp from any to <www_servers> \
    port = 80 flags S/SA synproxy state

> port = 80 flags S/SA synproxy state
>
> Then typed "pfctl -x loud" and "tcpdump -n -e -ttt -i pflog0".
> Output looks like without "pfctl -x loud". Where do i see debug output?

$dmesg -a should turn it up.  It's written to the console.

> > Keep us posted, thanks.
>
> Yes, sure.
> But before I call the person who has problems and let him try again,
> I have to be sure, to debug the right way.

Be sure to have pflogd(8) or tcpdump logging the traffic on pflog0 while the 
connection attempt.

-- 
/"\  Best regards,                      | mlaier at freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier at EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20050209/c115dfc4/attachment.bin

More information about the freebsd-pf mailing list