[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: synproxy problems with bridge

On Thu, 12 Jun 2003, Kevin wrote:
> Just installed the June 11 snapshot to do some testing with synproxy.
> The server has three NICs installed with fxp0 and fxp1 making up the
> bridge and dc0 for remote access.
> Traffic through the bridge works fine, unless I enable synproxy.  Both
> keep state and moduleate state work as expected, the server is reachable
> via HTTP.  But if synproxy is enabled the TCP handshake never finishes
> and the connection is eventually dropped.
> tcp <-       PROXY:DST
> I've tried adding keep state to each of the bridge interfaces (except
> with incomming on fxp0) but that didn't seem to make any difference.
> Using synproxy to the dc0 IP works perfectly fine, only the bridge has
> problems.
> Am I missing something?  I am using the synproxy config from the pf.conf
> man page.
return-{rst,icmp,icmp6) and synproxy don't work on a bridge.
[email protected] added a remark to pf.conf(5) and bridge(4) about this yesterday.
NOTES of -current bridge(4) state
     It is unsupported to use filter rules which would generate packets.  This
     applies to rules with return, return-rst, return-icmp, return-icmp6 or
     synproxy defined.
Dries Schellekens
email: [email protected]