Date: Thu, 29 Jul 2010 11:01:05 +0300 From: Denis Doroshenko <denis.doroshenko@gmail.com> To: Ryan McBride <mcbride@openbsd.org> Cc: misc@openbsd.org, freebsd-pf@freebsd.org Subject: Re: pf synproxy Message-ID: <AANLkTikSNYRnsuxhrtX8iV46uHtKF%2BiQxxPyXyJ_=zBJ@mail.gmail.com> In-Reply-To: <20100729053745.GC13817@countersiege.com> References: <4C509A99.4030305@sk1llz.net> <4C50EE88.3010206@sk1llz.net> <20100729053745.GC13817@countersiege.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 7/29/10, Ryan McBride <mcbride@openbsd.org> wrote: > On Wed, Jul 28, 2010 at 07:59:20PM -0700, Justin wrote: > > Sadly this means scalability (adding multiple synproxy boxes) is not > > possible, ... > synproxy works by completing the 3-way handshake with the source first, > then negotiating a separate 3-way handshake with the client. Because the > negotiations are separate and the two endpoints have no direct knowlege > of each other, there sequence numbers negotiated are different. PF > handles translation between the different sets of sequence numbers, and > has to be man-in-the middle for every packet on the connection in order > to do this translation. maybe the scalability issue raised there may be solved with CARP and pfsync, so there may be two (or more?) gateways?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTikSNYRnsuxhrtX8iV46uHtKF%2BiQxxPyXyJ_=zBJ>