Date: Mon, 26 Jul 2010 05:26:21 -0700 From: Justin <justin@sk1llz.net> To: freebsd-pf@freebsd.org Subject: pf synproxy Message-ID: <4C4D7EED.4060704@sk1llz.net>
next in thread | raw e-mail | index | archive | help
Hello all - I've tried searching the list but it seems something is
broken and I'm getting 500 errors. Alas,
Is there something unique about using synproxy in a gateway style
firewall that isn't outlined in the PF manuals? Here's the scenario:
Internet -> em0 | pf rules | em1 -> target host.
1.2.3.1/29 on em0, 1.2.4.1/29 on em1, 1.2.5.1/29 on target host.
PF rules:
set skip on lo0
pass out on em1
pass in on em1
pass out on em0 proto tcp all modulate state
pass in on em0 proto tcp from any to any port 80 synproxy state
When using synproxy state - the connection never completes. If we change
synproxy to keep, everything works fine. Alternately, if the service in
question is running locally on the actual firewall itself, I'll see
state entries show up in pfctl -s doing a proxy and then passing the
connection on to its self - so why doesn't it work in the same manner
when passing on to a host behind the machine? I've tried all sorts of
variations and skipping processing on internal interface, but I just
can't seem to get it to work. All my searching has turned up nothing.
I've also tried state-policy if-bound and there appears to be no change.
Is this a bug? Have I missed something totally obvious?
-Justin
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4C4D7EED.4060704>