pf synproxy
Daniel Hartmeier
daniel at benzedrine.cx
Tue Jul 27 07:48:58 UTC 2010
On Mon, Jul 26, 2010 at 05:26:21AM -0700, Justin wrote:
> When using synproxy state - the connection never completes. If we change
> synproxy to keep, everything works fine. Alternately, if the service in
> question is running locally on the actual firewall itself, I'll see
> state entries show up in pfctl -s doing a proxy and then passing the
> connection on to its self - so why doesn't it work in the same manner
> when passing on to a host behind the machine? I've tried all sorts of
> variations and skipping processing on internal interface, but I just
> can't seem to get it to work. All my searching has turned up nothing.
> I've also tried state-policy if-bound and there appears to be no change.
> Is this a bug? Have I missed something totally obvious?
Concurrently run
# tcpdump -nvSi em0 tcp port 80
and
# tcpdump -nvSi em1 tcp port 80
and reproduce one connection failure. What do you see?
Does the TCP handshake (SYN, SYN+ACK, ACK) complete between
client and pf? And the one between pf and the server?
Right after the failure, does pfctl -vvss show a state entry
for the failed connection? What does it look like?
Run pfctl -vvsi before and after the failure. Which counters
are increasing?
Enable verbose logging (pfctl -x misc), does /var/log/messages
show any message possibly related to the failure?
Kind regards,
Daniel
More information about the freebsd-pf
mailing list