From owner-freebsd-pf@FreeBSD.ORG Wed Nov 23 13:56:18 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 709F316A41F for ; Wed, 23 Nov 2005 13:56:18 +0000 (GMT) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0F37F43D68 for ; Wed, 23 Nov 2005 13:56:07 +0000 (GMT) (envelope-from max@love2party.net) Received: from [84.163.208.38] (helo=donor.laier.local) by mrelayeu.kundenserver.de (node=mrelayeu5) with ESMTP (Nemesis), id 0ML25U-1Eev6S2qsT-0000dD; Wed, 23 Nov 2005 14:56:05 +0100 From: Max Laier To: freebsd-pf@freebsd.org Date: Wed, 23 Nov 2005 14:55:52 +0100 User-Agent: KMail/1.8.2 References: <1132753339.649.48.camel@diablo> In-Reply-To: <1132753339.649.48.camel@diablo> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1714418.M2Z2QyFc8h"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200511231456.03507.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Alex Subject: Re: pf synproxy in 6.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Nov 2005 13:56:18 -0000 --nextPart1714418.M2Z2QyFc8h Content-Type: text/plain; charset="iso-8859-6" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Wednesday 23 November 2005 14:42, Alex wrote: > In contrast, looks like synproxy is _not_ working in 6-stable from > November, 22nd. > The same ruleset for inbound traffic is working successfully on > 5.4-STABLE. > The workaround I've done is a change 'synproxy' option to 'modulate' > Any ideas and info? There has been a change in how synproxy works. With OpenBSD's revision 1.4= 37=20 of pf.c: http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf.c#rev1.437 th= e=20 secondary handshake no longer passes unconditionally, but must be allowed b= y=20 a separate rule. Something like: pass on $int_if proto tcp from any to $synproxied flags S/SA should do. Can you please check and confirm? I am afraid this difference = in=20 behavior from normal "keep/modulate" vs. "synproxy" is underdocumented -=20 suggestions appreciated. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1714418.M2Z2QyFc8h Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQBDhHTzXyyEoT62BG0RArbVAJ9NTqZwjaGfOk9JSI8E/+W8IfgEBACeOOk0 960dxcQzVMn7a6ke90HT1JE= =BfHj -----END PGP SIGNATURE----- --nextPart1714418.M2Z2QyFc8h--