pf synproxy
Andrei Manescu - Ivorde
andrei.manescu at ivorde.ro
Mon Jul 26 15:48:53 UTC 2010
On Mon, July 26, 2010 6:02 pm, Justin wrote:
> ... it's not an if_bridge, thanks.
>
>
> On 7/26/2010 7:05 AM, Denny Lin wrote:
>
>> On Mon, Jul 26, 2010 at 05:26:21AM -0700, Justin wrote:
>>
>>
>>> Hello all - I've tried searching the list but it seems something is
>>> broken and I'm getting 500 errors. Alas,
>>>
>>> Is there something unique about using synproxy in a gateway style
>>> firewall that isn't outlined in the PF manuals? Here's the scenario:
>>>
>>> Internet -> em0 | pf rules | em1 -> target host.
>>>
>>>
>> Synproxy does not work when on bridges.
>>
>>
>> From pf.conf(5):
>> Rules with synproxy will not work if pf(4) operates on a if_bridge(4).
>>
>>
>>
>
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>
>
If it helps, you're not the only one with issues. Synproxy is not for
general fw use IMHO. I.e.: a friend is running a high traffic website and
synproxy slows down the packet flow. Another example, if I remember
correctly, is that it doesn't work with packet tagging, another one just
mentioned, doesn't work with if_bridge... I gave up on it long time ago
(on FreeBSD 6). (of course, everything is subject to different factors,
like hw).
You could, instead, try ftp-proxy which works great with pf and passive
ftp (I really can't say how effective is it against a syn flood, but you
can test it).
Synproxy is a great addition to pf but, unfortunately, it doesn't lack of
bugs.
More information about the freebsd-pf
mailing list