pf synproxy and fragments
LukeD at pobox.com
LukeD at pobox.com
Fri Apr 1 14:18:22 PST 2005
I'm running 5.3 stable.
I've recently switched from ipfilter to pf to take advantage of the
traffic shaping, and I've run into something I don't understand.
I read the documentation on the synproxy option and it sounded good to me,
so I replaced my "keep state" rules with "synproxy state".
After doing this, I noticed that my filesharing programs stopped
downloading. I switched back to "keep state" for the rules that handled
my filesharing traffic and the problem went away.
Today my brother called and told me that he couldn't get to my website
anymore because his firewall said that my http service was sending a
"fragment attack". I replaced "synproxy state" with "keep state" for the
rules pertaining to httpd and the problem went away.
Specifically, the http traffic rule was (formatted):
pass in quick on $ext_if proto tcp from any to any port 80 flags S/SAFR
synproxy state queue(http_out,ack_out)
Having tried a few other firewalls in the past, I know that some of them
don't like fragmented packets at all.
This week's events make me believe that pf's synproxy option is causing my
server to send out fragments, and those fragments aren't well-received.
Is this normal with synproxy? Am I misusing synproxy? Is this just a
coincidence?
Luke Dean
More information about the freebsd-questions
mailing list