synproxy and states

Thu Jun 16 19:10:52 GMT 2005

Hi,

i have a problem with using synproxy (FreeBSD 5.4 Release p2).

# Client with x.x.x.x do not get an answer with synproxy, keep state works
pass in log quick               proto tcp from x.x.x.x to <public_www> port { 80,443 }  flags S/SA synproxy state

# log said
rule 101/0(match): block in on em1: IP webserver.80 > x.x.x.x.3040: S 3694411781:3694411781(0) ack 1964249403 win 65535 <mss 1460>

# but if allow this explicit, client get an answer
pass in log quick on em1        proto tcp from any to any modulate state

What is the recommended way to work with synproxy? I do not want
such rule like the last one. I thought that state entries are the
same with synproxy like keep state.

Topology:

---internet------ fxp0-(box with pf)-em1 --- (webserver)

If it helps I can provide full rule set or any other needed information.

bye,
Andy