[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

synproxy problems with bridge



Just installed the June 11 snapshot to do some testing with synproxy. 
The server has three NICs installed with fxp0 and fxp1 making up the
bridge and dc0 for remote access.
Traffic through the bridge works fine, unless I enable synproxy.  Both
keep state and moduleate state work as expected, the server is reachable
via HTTP.  But if synproxy is enabled the TCP handshake never finishes
and the connection is eventually dropped.
tcp 197.168.131.10:80 <- 216.15.129.172:8524       PROXY:DST
I've tried adding keep state to each of the bridge interfaces (except
with incomming on fxp0) but that didn't seem to make any difference. 
Using synproxy to the dc0 IP works perfectly fine, only the bridge has
problems.
Am I missing something?  I am using the synproxy config from the pf.conf
man page.
Relevant configs:
# cat /etc/hostname.fxp0
up
# cat /etc/hostname.fxp1 
up
# cat /etc/bridgename.bridge0                                           
add fxp0
add fxp1
up
# cat /etc/pf.conf
# pf.conf
#-----------------------------#
#------ variables ------------#
#
ext_if="dc0"
int_br="fxp1"
ext_br="fxp0"
#-----------------------------#
#------ Settings -------------#
#
# loginterface collects stats for pfstats
set loginterface $ext_br
# TCP timout settings
set timeout tcp.first 120
set timeout tcp.established 86400
set timeout { adaptive.start 6000, adaptive.end 12000 }
set limit states 10000
#-----------------------------#
#------ Normalization --------#
#
scrub in all
scrub out all
#-----------------------------#
#------ Anti-spoofing --------#
#
#antispoof for $ext_if inet
antispoof for lo0
#-----------------------------#
#------ Default Block --------#
#
block in log on $ext_if from any to any label Dflt_Blk
#-----------------------------#
#------ Quick Blocks ---------#
#
# block and log outgoing packets that don't have my address as source,
they are# either spoofed or something is misconfigured (NAT disabled,
for instance),# we want to be nice and don't send out garbage.
#
block out log quick on $ext_if inet from !$ext_if to any
# block NMAP OS fingerprint
# http://openbsd.org/faq/faq6.html#PF
#
block in log quick on $ext_if inet proto tcp from any to any flags
FUP/FUP label NMAP_Block_1 block in log quick on $ext_if inet proto tcp
from any to any flags SF/SFRA label NMAP_Block_2 block in log quick on
$ext_if inet proto tcp from any to any flags /SFRA label NMAP_Block_3
#-----------------------------#
#------ Loopback -------------#
#
pass in  quick on lo0 all
pass out quick on lo0 all
#-----------------------------#
#------ Bridge ---------------#
#
pass out on $ext_br all
pass out on $int_br all
pass in  on $int_br all
#pass in  on $ext_br keep state
#pass in quick on $ext_br inet proto tcp from any to any port 80 flags
S/SA \        synproxy state label SynProxy_HTTP
pass in log proto tcp from any to any port www flags S/SA synproxy state
#pass in log proto tcp from any to any port www flags S/SA modulate
state
#-----------------------------#
#------ Uplink ---------------#
#
pass out on $ext_if keep state