Date: Wed, 23 Nov 2005 14:55:52 +0100 From: Max Laier <max@love2party.net> To: freebsd-pf@freebsd.org Cc: Alex <alextols@gmail.com> Subject: Re: pf synproxy in 6.0 Message-ID: <200511231456.03507.max@love2party.net> In-Reply-To: <1132753339.649.48.camel@diablo> References: <1132753339.649.48.camel@diablo>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart1714418.M2Z2QyFc8h Content-Type: text/plain; charset="iso-8859-6" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Wednesday 23 November 2005 14:42, Alex wrote: > In contrast, looks like synproxy is _not_ working in 6-stable from > November, 22nd. > The same ruleset for inbound traffic is working successfully on > 5.4-STABLE. > The workaround I've done is a change 'synproxy' option to 'modulate' > Any ideas and info? There has been a change in how synproxy works. With OpenBSD's revision 1.4= 37=20 of pf.c: http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf.c#rev1.437 th= e=20 secondary handshake no longer passes unconditionally, but must be allowed b= y=20 a separate rule. Something like: pass on $int_if proto tcp from any to $synproxied flags S/SA should do. Can you please check and confirm? I am afraid this difference = in=20 behavior from normal "keep/modulate" vs. "synproxy" is underdocumented -=20 suggestions appreciated. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1714418.M2Z2QyFc8h Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQBDhHTzXyyEoT62BG0RArbVAJ9NTqZwjaGfOk9JSI8E/+W8IfgEBACeOOk0 960dxcQzVMn7a6ke90HT1JE= =BfHj -----END PGP SIGNATURE----- --nextPart1714418.M2Z2QyFc8h--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200511231456.03507.max>