PF "synproxy state" doesn't work on CARP IPs
Adam Strohl
adams-freebsd at ateamsystems.com
Wed May 16 12:15:41 UTC 2012
Hello,
I've noticed that when I use "synproxy state" on a rule and a connection
comes in to an IP on a CARP interface the connection opens but never
gets passed on to the process as it should.
For example:
pass in on $ext_if proto tcp from any to any port ssh flags S/SA
synproxy state
Will work fine if I come in to a non-CARP IP. The connection is
accepted and then brokered to SSHd.
However on the same machine with the same rule if I come in to a CARP'd
IP it connects but hangs (not passed on to SSHd).
If I remove the "synproxy state" portion the CARP test case works.
I've done a bunch of flipping and testing and it seems that CARP IP + PF
rule with "synproxy state" doesn't work -- the connection will be
accepted but not passed on like it should.
Is this known behaviour? Is there a work around? Anything else anyone
wants to know?
I've noticed this too: the physical interface seems to "include" the
CARP interfaces associated with it. That above rule I pasted applies to
the CARP interface even though its specifying "bce0" as the value for
$ext_if (vs. a rule for "carp1", etc) Is that normal/expected?
I did notice in the docs that "synproxy state" doesn't work with bridge
interfaces, is a CARP interface maybe falling into this category?
Any input/thoughts appreciated!
P.S.
Please be sure to CC me, I am not subscribed to the PF mailing list.
--
Adam Strohl
A-Team Systems
http://ateamsystems.com/
More information about the freebsd-pf
mailing list