Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 23 Oct 2014 21:25:55 +0300
From:      Tugrul Erdogan <h.tugrul.erdogan@gmail.com>
To:        freebsd-pf@freebsd.org
Subject:   SynProxy had a trouble when located front of a router device
Message-ID:  <CA%2Bwhn7SZ%2B1dxmcFSU7W5-2%2BJpawvAOVVxMz8VWWWB1mUCi-Ctg@mail.gmail.com>
next in thread | raw e-mail | index | archive | help 
Hi,

I have a trouble at pf synproxy state handshak=C4=B1ng mechanism. I have be=
en
using pf for years, but first time I have  a router at the backpane of
topology. The schema of my topology given below:

---------------------                        ---------------------------
                 -------------------         ----------------------

Attacker                <---------->       FreeBSD(Test)      <----------->
   Router          <---->    Victim

-------------------                          ---------------------------
                   -----------------             -------------------

I am trying to connect from attacker to the victim from port 80. Without
synproxy rule I have successfully conneting. Whenever I activate synproxy
state, the client(attacker) side handshaking completing (the outer
interface of FreeBSD device)

21:09:53.531421 IP AA.BB.183.93.51510 > AA.BB.189.100.80: Flags [S], seq
1458776780, win 5840, options [mss 1460,sackOK,TS val 1336836512 ecr
0,nop,wscale 7], length 0
21:09:53.531494 IP AA.BB.189.100.80 > AA.BB.183.93.51510: Flags [S.], seq
2093170245, ack 1458776781, win 0, options [mss 1460], length 0
21:09:53.531524 IP AA.BB.183.93.51510 > AA.BB.189.100.80: Flags [.], ack 1,
win 5840, length 0
21:09:56.533680 IP AA.BB.183.93.51510 > AA.BB.189.100.80: Flags [.], ack 1,
win 5840, length 0
21:10:02.532255 IP AA.BB.183.93.51510 > AA.BB.189.100.80: Flags [.], ack 1,
win 5840, length 0

after that the  "pfct -vvss" showing:

ix1 tcp AA.BB..183.93:51513 -> AA.BB..189.100:80       PROXY:DST

and there is no package at inner interface of FreeBSD device at the result
of tcpdump. After some seconds FreeBSD generates RST package both side.
(There is no handshake SYN or ACK packages generated by pf synproxy at the
inner interface)

I think that the problem is about the router beacuse I had had successful
connections before the router device. When I turn off the synproxy or add
"keep state" instead of "synproxy state" I can successfully connecting.

I want to take your opinions about why the handshake packages could not be
generate by pf synproxy?

Regards,
Tugrul

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CA%2Bwhn7SZ%2B1dxmcFSU7W5-2%2BJpawvAOVVxMz8VWWWB1mUCi-Ctg>