[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: synproxy mysteriously stopped working???
On Sun, Jan 25, 2004 at 03:50:22PM -0800, Scott L. Burson wrote:
> I repeat, this ruleset had been working fine with `synproxy state' for a
> good 3 weeks, and I don't think this was even the first time I had rebooted
> the firewall. Could I have changed something that made synproxy stop
> working? Conceivably, but I have no idea what and don't recall changing
Something must have changed, try to find out what (even if it seems
impossible that it is related). Either the system was updated (when,
from/to what version?) or the ruleset has changed (what rules?).
If you changed nat rules, that might be a reason. synproxy doesn't work
with some nat translations (never did), for instance
nat on $ext_if from 10.0.0.0/8 to any -> 22.214.171.124
pass in on $int_if from 10.0.0.0/8 to any synproxy state
When 10.1.2.3 connects to 126.96.36.199, synproxy will first handshake
with the client (which works), but then replay the handshake with
188.8.131.52 through $ext_if, without applying the nat translation.
If this is what happens, it should be easy to spot with tcpdump -nvvvS
running on all interfaces, capturing one failing TCP connection attempt.
The handshake packets generated by synproxy are always passed
unconditionally (without matching/creating state or getting translated
further on subsequent interfaces).
Without a tcpdump it's hard to tell.