From owner-freebsd-pf@FreeBSD.ORG Thu Oct 23 18:25:58 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 77635837 for ; Thu, 23 Oct 2014 18:25:58 +0000 (UTC) Received: from mail-la0-x234.google.com (mail-la0-x234.google.com [IPv6:2a00:1450:4010:c03::234]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 021B9C0E for ; Thu, 23 Oct 2014 18:25:57 +0000 (UTC) Received: by mail-la0-f52.google.com with SMTP id hz20so1339077lab.39 for ; Thu, 23 Oct 2014 11:25:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=FiuVXXiHWnFp6AQUAIJtKmT7FriGI013vCVDGjcXYnI=; b=XUbmacufaJ0q+t72V1LQMBlGuwebZyLWHT0riNJt99EkYyc8yj/ysnomOzs2qis/MR P6hWwL9oMtgdFwSqo+jpKLKMOV02BViCeCRgP7cU4tSgTQvfwYAzGGm0k82H+SAj0ZKW JtduoY3nhe3EdFbllKhoEbOa8EzowblwqHsbpYmUtqIRvCUhR5Er/Nb5b/U1NkbNIZGJ h6w4Eg2JnmFUs45dwFAepLOgHmv6e41WBqblHy0Vh86nGSOdeuTqfxk95e1HKjGM81oS pPucjF9foB6WxstWi47zDz1jjlq0oOnE3Bh5/+h9SHv8T/jW+RY4MCHiTBHcOKM3rMDg mnwA== MIME-Version: 1.0 X-Received: by 10.112.247.43 with SMTP id yb11mr6950509lbc.51.1414088755804; Thu, 23 Oct 2014 11:25:55 -0700 (PDT) Received: by 10.153.8.137 with HTTP; Thu, 23 Oct 2014 11:25:55 -0700 (PDT) Date: Thu, 23 Oct 2014 21:25:55 +0300 Message-ID: Subject: SynProxy had a trouble when located front of a router device From: Tugrul Erdogan To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Oct 2014 18:25:58 -0000 Hi, I have a trouble at pf synproxy state handshak=C4=B1ng mechanism. I have be= en using pf for years, but first time I have a router at the backpane of topology. The schema of my topology given below: --------------------- --------------------------- ------------------- ---------------------- Attacker <----------> FreeBSD(Test) <-----------> Router <----> Victim ------------------- --------------------------- ----------------- ------------------- I am trying to connect from attacker to the victim from port 80. Without synproxy rule I have successfully conneting. Whenever I activate synproxy state, the client(attacker) side handshaking completing (the outer interface of FreeBSD device) 21:09:53.531421 IP AA.BB.183.93.51510 > AA.BB.189.100.80: Flags [S], seq 1458776780, win 5840, options [mss 1460,sackOK,TS val 1336836512 ecr 0,nop,wscale 7], length 0 21:09:53.531494 IP AA.BB.189.100.80 > AA.BB.183.93.51510: Flags [S.], seq 2093170245, ack 1458776781, win 0, options [mss 1460], length 0 21:09:53.531524 IP AA.BB.183.93.51510 > AA.BB.189.100.80: Flags [.], ack 1, win 5840, length 0 21:09:56.533680 IP AA.BB.183.93.51510 > AA.BB.189.100.80: Flags [.], ack 1, win 5840, length 0 21:10:02.532255 IP AA.BB.183.93.51510 > AA.BB.189.100.80: Flags [.], ack 1, win 5840, length 0 after that the "pfct -vvss" showing: ix1 tcp AA.BB..183.93:51513 -> AA.BB..189.100:80 PROXY:DST and there is no package at inner interface of FreeBSD device at the result of tcpdump. After some seconds FreeBSD generates RST package both side. (There is no handshake SYN or ACK packages generated by pf synproxy at the inner interface) I think that the problem is about the router beacuse I had had successful connections before the router device. When I turn off the synproxy or add "keep state" instead of "synproxy state" I can successfully connecting. I want to take your opinions about why the handshake packages could not be generate by pf synproxy? Regards, Tugrul