Date: Sun, 3 Apr 2005 01:07:49 +0200 From: J65nko BSD <j65nko@gmail.com> To: LukeD@pobox.com Cc: freebsd-questions@freebsd.org Subject: Re: pf synproxy and fragments Message-ID: <19861fba05040215079a567db@mail.gmail.com> In-Reply-To: <20050401140521.V2111@border.crystalsphere.multiverse> References: <20050401140521.V2111@border.crystalsphere.multiverse>
next in thread | previous in thread | raw e-mail | index | archive | help
On Apr 2, 2005 12:18 AM, LukeD@pobox.com <LukeD@pobox.com> wrote: > > I'm running 5.3 stable. > I've recently switched from ipfilter to pf to take advantage of the > traffic shaping, and I've run into something I don't understand. > > I read the documentation on the synproxy option and it sounded good to me, > so I replaced my "keep state" rules with "synproxy state". > > After doing this, I noticed that my filesharing programs stopped > downloading. I switched back to "keep state" for the rules that handled > my filesharing traffic and the problem went away. > > Today my brother called and told me that he couldn't get to my website > anymore because his firewall said that my http service was sending a > "fragment attack". I replaced "synproxy state" with "keep state" for the > rules pertaining to httpd and the problem went away. > > Specifically, the http traffic rule was (formatted): > pass in quick on $ext_if proto tcp from any to any port 80 flags S/SAFR > synproxy state queue(http_out,ack_out) > > Having tried a few other firewalls in the past, I know that some of them > don't like fragmented packets at all. > > This week's events make me believe that pf's synproxy option is causing my > server to send out fragments, and those fragments aren't well-received. > Is this normal with synproxy? Am I misusing synproxy? Is this just a > coincidence? > In http://archives.neohapsis.com/archives/openbsd/2005-03/2760.html somebody reported a similar problem. Maybe you could try his "solution" by leaving out "flags S/SAFR" =Adriaan=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19861fba05040215079a567db>