From owner-freebsd-pf@FreeBSD.ORG Thu Dec 4 17:28:37 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 092A9106568F for ; Thu, 4 Dec 2008 17:28:37 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.171]) by mx1.freebsd.org (Postfix) with ESMTP id 8E6A98FC25 for ; Thu, 4 Dec 2008 17:28:35 +0000 (UTC) (envelope-from max@love2party.net) Received: from vampire.homelinux.org (dslb-088-066-028-001.pools.arcor-ip.net [88.66.28.1]) by mrelayeu.kundenserver.de (node=mrelayeu7) with ESMTP (Nemesis) id 0ML2xA-1L8I0A2wJv-0007Uz; Thu, 04 Dec 2008 18:28:35 +0100 Received: (qmail 84823 invoked from network); 4 Dec 2008 17:28:34 -0000 Received: from unknown (HELO fbsd8.laiers.local) (192.168.4.151) by laiers.local with SMTP; 4 Dec 2008 17:28:34 -0000 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Thu, 4 Dec 2008 18:28:33 +0100 User-Agent: KMail/1.10.1 (FreeBSD/8.0-CURRENT; KDE/4.1.1; i386; ; ) References: <4937F627.8080602@gmail.com> <200812041647.14049.max@love2party.net> In-Reply-To: <200812041647.14049.max@love2party.net> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200812041828.34033.max@love2party.net> X-Provags-ID: V01U2FsdGVkX19RbBe5eb5syZuHhjhoF4CypR8l/pMZWkfL/DM DwHalUj39yOsReg+DnMkpa5Monk8RCVd5odFMQBJvzN4CoxSyf EWZzje2D6kxCoNcuvDU5g== Cc: freebsd-stable@freebsd.org, Vladimir Ermakov Subject: Re: synproxy state does not work on FreeBSD 7.1-PRERELEASE X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Dec 2008 17:28:37 -0000 On Thursday 04 December 2008 16:47:13 Max Laier wrote: > On Thursday 04 December 2008 16:24:23 Vladimir Ermakov wrote: > > problem is fixed in OpenBSD 4.4 > > http://www.openbsd.org/plus44.html > > The bug this note refers to was introduced after OpenBSD 4.1 (our last > import) and should not be present in the FreeBSD code. I'll double check > in a bit to make sure synproxy is working, but I don't think it was broken > after my last import ... do you have a particular test case that I could > reproduce? Okay ... here is the story: First off, "synproxy state" is *NOT* broken! But you need to be careful how you use it. If you - like the OP - intend to use it to protect a service running on the same box as your pf, you must make sure to "set skip on lo0" or it will not work. If you are protecting a box behind the pf box, there is no need for that. -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News