From owner-freebsd-pf@FreeBSD.ORG Tue Jul 27 07:48:58 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 297731065673 for ; Tue, 27 Jul 2010 07:48:58 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (106-30.3-213.fix.bluewin.ch [213.3.30.106]) by mx1.freebsd.org (Postfix) with ESMTP id 846A88FC14 for ; Tue, 27 Jul 2010 07:48:55 +0000 (UTC) Received: from insomnia.benzedrine.cx (localhost.benzedrine.cx [127.0.0.1]) by insomnia.benzedrine.cx (8.14.1/8.13.4) with ESMTP id o6R7mrA4028443 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Tue, 27 Jul 2010 09:48:53 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.14.1/8.12.10/Submit) id o6R7mooC025843; Tue, 27 Jul 2010 09:48:50 +0200 (MEST) Date: Tue, 27 Jul 2010 09:48:50 +0200 From: Daniel Hartmeier To: Justin Message-ID: <20100727074850.GB1114@insomnia.benzedrine.cx> References: <4C4D7EED.4060704@sk1llz.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4C4D7EED.4060704@sk1llz.net> User-Agent: Mutt/1.5.12-2006-07-14 Cc: freebsd-pf@freebsd.org Subject: Re: pf synproxy X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jul 2010 07:48:58 -0000 On Mon, Jul 26, 2010 at 05:26:21AM -0700, Justin wrote: > When using synproxy state - the connection never completes. If we change > synproxy to keep, everything works fine. Alternately, if the service in > question is running locally on the actual firewall itself, I'll see > state entries show up in pfctl -s doing a proxy and then passing the > connection on to its self - so why doesn't it work in the same manner > when passing on to a host behind the machine? I've tried all sorts of > variations and skipping processing on internal interface, but I just > can't seem to get it to work. All my searching has turned up nothing. > I've also tried state-policy if-bound and there appears to be no change. > Is this a bug? Have I missed something totally obvious? Concurrently run # tcpdump -nvSi em0 tcp port 80 and # tcpdump -nvSi em1 tcp port 80 and reproduce one connection failure. What do you see? Does the TCP handshake (SYN, SYN+ACK, ACK) complete between client and pf? And the one between pf and the server? Right after the failure, does pfctl -vvss show a state entry for the failed connection? What does it look like? Run pfctl -vvsi before and after the failure. Which counters are increasing? Enable verbose logging (pfctl -x misc), does /var/log/messages show any message possibly related to the failure? Kind regards, Daniel