problems with synproxy on 5.3-stable
Max Laier
max at love2party.net
Wed Feb 9 10:45:11 PST 2005
On Wednesday 09 February 2005 14:10, Andy Hilker wrote:
> Hi,
>
> i have migrated from ipfilter to pf and have problems with synproxy.
> First: many thanks for importing pf to freebsd :)
>
> pf protects only localhost with multiple IPs and jails. There is
> only 1 outside interface.
>
> When i use "keep state" everything works normally. If using synproxy
> a few people having problems accessing pop3 and http on my server.
> Requests are incomplete or corrupt (for example get requests in
> httpd-access.log). But it seems that this problem occurs only for
> a few people.
>
> Is there any way to "count" or monitor the activity of synproxy to
> see how much clients are blocked?
> Any ideas why synproxy does not work at this "few peoples"?
Not really, but tcpdump can help. Add log-all to the synproxy and try to
watch the connection in tcpdump on pflog0 with something like:
$tcpdump -n -e -ttt -i pflog0 rulenum <rule#> and host "testip"
You might also want to raise the debugging level with "$pfctl -x misc" and
watch the console for BAD state messages.
Keep us posted, thanks.
--
/"\ Best regards, | mlaier at freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier at EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20050209/63451df7/attachment.bin
More information about the freebsd-pf
mailing list