[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

synproxy wierdness

I'm a network admin at a community college in Seattle.  I have an OpenBSD PF
firewall between the outside world and our web server.  I enabled 'synproxy
state' on the inbound connections to port 80 to the web server.  After a few
weeks about 3 people started complaining that our web page had gone away.
Out of the 10,000 odd people who view our web page, these folks were the
only ones having trouble, and it wasn't intermittent, they were compleately
blocked.  I just switched the rule from 'synproxy' to 'modulate' and now
they can see our web page.  
My best theory is that they are using a wierd NAT server/firewall gizmo
that's doing something that's strictly not OK, but not harmful, and the
firewall is dumping their connections on the floor.  I saw no pflog entries
(all my 'block' rules log), and /var/log/messages didn't have any 'BAD sate'
entries with an IP address from the one blocked user who's IP address I
could verify.
Has anyone else noticed anything like this?  
Is it possible to make synproxy make a log entry when it doesn't like a 
connection?  I'd like to know exactly why synproxy didn't like those
-Dylan Martin
Seattle, WA