Date: Tue, 27 Jul 2010 09:48:50 +0200 From: Daniel Hartmeier <daniel@benzedrine.cx> To: Justin <justin@sk1llz.net> Cc: freebsd-pf@freebsd.org Subject: Re: pf synproxy Message-ID: <20100727074850.GB1114@insomnia.benzedrine.cx> In-Reply-To: <4C4D7EED.4060704@sk1llz.net> References: <4C4D7EED.4060704@sk1llz.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Jul 26, 2010 at 05:26:21AM -0700, Justin wrote: > When using synproxy state - the connection never completes. If we change > synproxy to keep, everything works fine. Alternately, if the service in > question is running locally on the actual firewall itself, I'll see > state entries show up in pfctl -s doing a proxy and then passing the > connection on to its self - so why doesn't it work in the same manner > when passing on to a host behind the machine? I've tried all sorts of > variations and skipping processing on internal interface, but I just > can't seem to get it to work. All my searching has turned up nothing. > I've also tried state-policy if-bound and there appears to be no change. > Is this a bug? Have I missed something totally obvious? Concurrently run # tcpdump -nvSi em0 tcp port 80 and # tcpdump -nvSi em1 tcp port 80 and reproduce one connection failure. What do you see? Does the TCP handshake (SYN, SYN+ACK, ACK) complete between client and pf? And the one between pf and the server? Right after the failure, does pfctl -vvss show a state entry for the failed connection? What does it look like? Run pfctl -vvsi before and after the failure. Which counters are increasing? Enable verbose logging (pfctl -x misc), does /var/log/messages show any message possibly related to the failure? Kind regards, Daniel
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100727074850.GB1114>