synproxy state and route-to issues

Bill Marquette bill.marquette at
Fri Sep 9 20:16:28 PDT 2005

I've got a machine setup with two internet facing interfaces that I want to 
do policy based routing on.

FreeBSD 6 beta 4

First two octets of the IP addresses intentionally masked.

dc0 == lan ( <>)
dc1 == isp1 ( <>)
dc2 == isp2 ( <>)

default route is set to go out isp1, each isp facing NIC is setup for NAT 
for that ISPs IP range
nat on dc1 inet from <> to any -> (dc1) 
 nat on dc2 inet from <> to any -> (dc2) 

 I've got a pass in rule that sets the next hop to isp2 (dc2) for any TCP 
traffic coming from one machine and uses synproxy
pass in quick on dc0 route-to ( dc2 <> ) 
proto tcp from <> to any flags S/SA synproxy 
all other traffic defaults to isp1 (it all works - shown, for examples sake)
pass in quick on dc0 proto tcp from
<>to any flags S/SA synproxy state

 A telnet from a <> to an internet facing 
mail server ( <>) creates the following 
state entries:

[2292384068 + 65441](+4004013808) [2512296240 + 33392](+501048536)
age 00:00:22, expires in 119:59:55, 7:4 pkts, 292:536 bytes, rule 98
id: 43210bb50000e5c8 creatorid: 65f15a74

dc1 tcp <> -> <> -><>ESTABLISHED:ESTABLISHED
[3013344771 + 33397] [2292384068 + 65441]
age 00:00:22, expires in 119:59:54, 2:5 pkts, 84:580 bytes, rule 44
id: 43210bb50000e5c9 creatorid: 65f15a74

dc2 tcp <> -> <> -><>SYN_SENT:CLOSED
[3013344776 + 4294967293] [0 + 65441]
age 00:00:22, expires in 00:14:45, 7:0 pkts, 292:0 bytes, rule 47
id: 43210bb50000e5cc creatorid: 65f15a74

Not totally surprising that synproxy state used the default route to send 
and create the SYN - not expected, but not surprising. You'll note that it 
went out isp1 instead of where the rule sent it to. I can live with this 
semi-unexpected behaviour...however, what ends up happening (and I don't 
have the tcpdump ready now) is that the syn, syn/ack, makes it through isp1, 
and then PF appears to hand control back to the rule processing. The ack 
from <> ends up going out dc2 and getting 
nat'd with dc2's IP address...thus ending any chance at the connection 

syn goes out dc1 with dc1's IP
syn/ack comes in dc1
ack goes out dc2 with dc2's IP
ack from <> returns on dc1 with data and <> actually gets it.

 Can anyone else duplicate this? I'm suspecting that synproxy happens long 
before route-to takes place.


More information about the freebsd-pf mailing list