Date: Wed, 9 Feb 2005 23:11:41 +0100 From: Max Laier <max@love2party.net> To: Andy Hilker <ah@crypta.net> Cc: freebsd-pf@freebsd.org Subject: Re: problems with synproxy on 5.3-stable Message-ID: <200502092311.47713.max@love2party.net> In-Reply-To: <20050209215832.GA22874@mail.crypta.net> References: <20050209131055.GA94001@mail.crypta.net> <200502091945.01577.max@love2party.net> <20050209215832.GA22874@mail.crypta.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart13349901.uKPbb2PvEP
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
On Wednesday 09 February 2005 22:58, Andy Hilker wrote:
> You (Max Laier) wrote:
> > Not really, but tcpdump can help. Add log-all to the synproxy and try =
to
> > watch the connection in tcpdump on pflog0 with something like:
> > $tcpdump -n -e -ttt -i pflog0 rulenum <rule#> and host "testip"
> >
> > You might also want to raise the debugging level with "$pfctl -x misc"
> > and watch the console for BAD state messages.
>
> Ok, i modified my ruleset like this:
>
> [...]
> set loginterface $if_ext
That does not matter here. It only affects $pfctl -si
> [...]
> pass in log quick on $if_ext proto tcp from any to <www_server=
s>
^^^
Change this to "log-all" in order to get the full transaction log on pflog.=
=20
If you happen to know a "known bad"-peer you can also split the rule as:
pass in log-all quick on $if_ext proto tcp from $bad_peer to <www_servers> \
port =3D 80 flags S/SA synproxy state
pass in quick on $if_ext proto tcp from any to <www_servers> \
port =3D 80 flags S/SA synproxy state
> port =3D 80 flags S/SA synproxy state
>
> Then typed "pfctl -x loud" and "tcpdump -n -e -ttt -i pflog0".
> Output looks like without "pfctl -x loud". Where do i see debug output?
$dmesg -a should turn it up. It's written to the console.
> > Keep us posted, thanks.
>
> Yes, sure.
> But before I call the person who has problems and let him try again,
> I have to be sure, to debug the right way.
Be sure to have pflogd(8) or tcpdump logging the traffic on pflog0 while th=
e=20
connection attempt.
=2D-=20
/"\ Best regards, | mlaier@freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier@EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
--nextPart13349901.uKPbb2PvEP
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)
iD8DBQBCCoqjXyyEoT62BG0RAqoHAJ9qPzPnIcamEYzjy4LtT6t23KG+LwCePPg/
H1IyROT7m4G0ccu10J6fuHI=
=wy5k
-----END PGP SIGNATURE-----
--nextPart13349901.uKPbb2PvEP--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200502092311.47713.max>