pf synproxy
Denis Doroshenko
denis.doroshenko at gmail.com
Thu Jul 29 08:27:14 UTC 2010
On 7/29/10, Ryan McBride <mcbride at openbsd.org> wrote:
> On Wed, Jul 28, 2010 at 07:59:20PM -0700, Justin wrote:
> > Sadly this means scalability (adding multiple synproxy boxes) is not
> > possible,
...
> synproxy works by completing the 3-way handshake with the source first,
> then negotiating a separate 3-way handshake with the client. Because the
> negotiations are separate and the two endpoints have no direct knowlege
> of each other, there sequence numbers negotiated are different. PF
> handles translation between the different sets of sequence numbers, and
> has to be man-in-the middle for every packet on the connection in order
> to do this translation.
maybe the scalability issue raised there may be solved with CARP and
pfsync, so there may be two (or more?) gateways?
More information about the freebsd-pf
mailing list