Date: Mon, 26 Jul 2010 18:22:09 +0300 From: "Andrei Manescu - Ivorde" <andrei.manescu@ivorde.ro> To: "Justin" <justin@sk1llz.net> Cc: freebsd-pf@freebsd.org Subject: Re: pf synproxy Message-ID: <f24e053c626b4e4d09679119ba4d812a.squirrel@mail.ivorde.ro> In-Reply-To: <4C4DA384.8030504@sk1llz.net> References: <4C4D7EED.4060704@sk1llz.net> <20100726140545.GB72163@mail.hs.ntnu.edu.tw> <4C4DA384.8030504@sk1llz.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, July 26, 2010 6:02 pm, Justin wrote: > ... it's not an if_bridge, thanks. > > > On 7/26/2010 7:05 AM, Denny Lin wrote: > >> On Mon, Jul 26, 2010 at 05:26:21AM -0700, Justin wrote: >> >> >>> Hello all - I've tried searching the list but it seems something is >>> broken and I'm getting 500 errors. Alas, >>> >>> Is there something unique about using synproxy in a gateway style >>> firewall that isn't outlined in the PF manuals? Here's the scenario: >>> >>> Internet -> em0 | pf rules | em1 -> target host. >>> >>> >> Synproxy does not work when on bridges. >> >> >> From pf.conf(5): >> Rules with synproxy will not work if pf(4) operates on a if_bridge(4). >> >> >> > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > If it helps, you're not the only one with issues. Synproxy is not for general fw use IMHO. I.e.: a friend is running a high traffic website and synproxy slows down the packet flow. Another example, if I remember correctly, is that it doesn't work with packet tagging, another one just mentioned, doesn't work with if_bridge... I gave up on it long time ago (on FreeBSD 6). (of course, everything is subject to different factors, like hw). You could, instead, try ftp-proxy which works great with pf and passive ftp (I really can't say how effective is it against a syn flood, but you can test it). Synproxy is a great addition to pf but, unfortunately, it doesn't lack of bugs.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?f24e053c626b4e4d09679119ba4d812a.squirrel>