[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Synproxy broken on latest snapshots?



Unable to get synproxy working using snapshot dated June 28,
previously was using one from about 2 weeks ago which also did not
work.  TCP handshake is never completed, state remains PROXY:DST until
the client times out.  Modulate or keep state works as normal.  Am I
missing something?  I've used synproxy before and it worked quite
well, just can't figure out what I am doing wrong, configuration is
kept very simple for testing.  Included below is the pf.conf, pfctl
-sa and ifconfig -a output.
Thanks,
Kevin
# cat /etc/pf.conf.syn
pass in log quick on em0 proto tcp from any to any port 80 \
        flags S/SA synproxy state
pass in log quick on em0 from any to any \
        flags S/SA keep state
# pfctl -sa
FILTER RULES:
pass in log quick on em0 proto tcp from any to any port = www flags
S/SA synproxy state
pass in log quick on em0 all flags S/SA keep state
No queue in use
STATES:
self tcp 216.15.185.220:80 <- 216.15.129.88:31388       PROXY:DST
INFO:
Status: Enabled for 0 days 00:07:56           Debug: Urgent
Hostid: 0xcdd898be
State Table                          Total             Rate
  current entries                        1               
  searches                            1150            2.4/s
  inserts                                4            0.0/s
  removals                               3            0.0/s
Counters
  match                               1080            2.3/s
  bad-offset                             0            0.0/s
  fragment                               0            0.0/s
  short                                  0            0.0/s
  normalize                              0            0.0/s
  memory                                 0            0.0/s
  bad-timestamp                          0            0.0/s
TIMEOUTS:
tcp.first                   120s
tcp.opening                  30s
tcp.established           86400s
tcp.closing                 900s
tcp.finwait                  45s
tcp.closed                   90s
tcp.tsdiff                   30s
udp.first                    60s
udp.single                   30s
udp.multiple                 60s
icmp.first                   20s
icmp.error                   10s
other.first                  60s
other.single                 30s
other.multiple               60s
frag                         30s
interval                     10 states
adaptive.start                0 states
adaptive.end                  0s
src.track                     0s
LIMITS:
states     hard limit  10000
src-nodes  hard limit  10000
frags      hard limit   5000
OS FINGERPRINTS:
345 fingerprints loaded
# ifconfig -a
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33224
        inet 127.0.0.1 netmask 0xff000000 
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        address: 00:07:e9:0c:ec:e9
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet 216.15.185.220 netmask 0xffffff00 broadcast 216.15.185.255
        inet6 fe80::207:e9ff:fe0c:ece9%em0 prefixlen 64 scopeid 0x1
fxp0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
        address: 00:02:b3:92:48:bc
        media: Ethernet autoselect (none)
        status: no carrier
fxp1: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
        address: 00:02:b3:3a:7b:37
        media: Ethernet autoselect (none)
        status: no carrier
pflog0: flags=0<> mtu 33224
pfsync0: flags=0<> mtu 2020
enc0: flags=0<> mtu 1536