SynProxy had a trouble when located front of a router device

Tugrul Erdogan h.tugrul.erdogan at gmail.com
Thu Oct 23 18:25:58 UTC 2014 

Hi,

I have a trouble at pf synproxy state handshakıng mechanism. I have been
using pf for years, but first time I have  a router at the backpane of
topology. The schema of my topology given below:

---------------------                        ---------------------------
                 -------------------         ----------------------

Attacker                <---------->       FreeBSD(Test)      <----------->
   Router          <---->    Victim

-------------------                          ---------------------------
                   -----------------             -------------------

I am trying to connect from attacker to the victim from port 80. Without
synproxy rule I have successfully conneting. Whenever I activate synproxy
state, the client(attacker) side handshaking completing (the outer
interface of FreeBSD device)

21:09:53.531421 IP AA.BB.183.93.51510 > AA.BB.189.100.80: Flags [S], seq
1458776780, win 5840, options [mss 1460,sackOK,TS val 1336836512 ecr
0,nop,wscale 7], length 0
21:09:53.531494 IP AA.BB.189.100.80 > AA.BB.183.93.51510: Flags [S.], seq
2093170245, ack 1458776781, win 0, options [mss 1460], length 0
21:09:53.531524 IP AA.BB.183.93.51510 > AA.BB.189.100.80: Flags [.], ack 1,
win 5840, length 0
21:09:56.533680 IP AA.BB.183.93.51510 > AA.BB.189.100.80: Flags [.], ack 1,
win 5840, length 0
21:10:02.532255 IP AA.BB.183.93.51510 > AA.BB.189.100.80: Flags [.], ack 1,
win 5840, length 0

after that the  "pfct -vvss" showing:

ix1 tcp AA.BB..183.93:51513 -> AA.BB..189.100:80       PROXY:DST

and there is no package at inner interface of FreeBSD device at the result
of tcpdump. After some seconds FreeBSD generates RST package both side.
(There is no handshake SYN or ACK packages generated by pf synproxy at the
inner interface)

I think that the problem is about the router beacuse I had had successful
connections before the router device. When I turn off the synproxy or add
"keep state" instead of "synproxy state" I can successfully connecting.

I want to take your opinions about why the handshake packages could not be
generate by pf synproxy?

Regards,
Tugrul

More information about the freebsd-pf mailing list