pf synproxy in 6.0
Max Laier
max at love2party.net
Wed Nov 23 05:56:18 PST 2005
On Wednesday 23 November 2005 14:42, Alex wrote:
> In contrast, looks like synproxy is _not_ working in 6-stable from
> November, 22nd.
> The same ruleset for inbound traffic is working successfully on
> 5.4-STABLE.
> The workaround I've done is a change 'synproxy' option to 'modulate'
> Any ideas and info?
There has been a change in how synproxy works. With OpenBSD's revision 1.437
of pf.c: http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf.c#rev1.437 the
secondary handshake no longer passes unconditionally, but must be allowed by
a separate rule. Something like:
pass on $int_if proto tcp from any to $synproxied flags S/SA
should do. Can you please check and confirm? I am afraid this difference in
behavior from normal "keep/modulate" vs. "synproxy" is underdocumented -
suggestions appreciated.
--
/"\ Best regards, | mlaier at freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier at EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20051123/467d05da/attachment.bin
More information about the freebsd-pf
mailing list