[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: synproxy wierdness



Dylan,

Yes, I had noticed a problem too (and I was surprised that synproxy is apparently rarely used).

There was a bug in synproxy and a fix for 3.6 current was just committed yesterday by Daniel Hartmeier.
A patch for 3.6 is here: http://marc.theaimsgroup.com/?l=openbsd-tech&m=109061815114526&w=2


However with this bug you should see blocked ack packets in your pf log and you're not seeing anything so may be yours is a different problem.

Might be worth a try to use the patch and compile and install a new kernel. Beware: the patch is only for 3.6.

Daniel
==== Original message from Dylan Martin at 13-11-2004 3:21

I'm a network admin at a community college in Seattle. I have an OpenBSD PF
firewall between the outside world and our web server. I enabled 'synproxy
state' on the inbound connections to port 80 to the web server. After a few
weeks about 3 people started complaining that our web page had gone away.
Out of the 10,000 odd people who view our web page, these folks were the
only ones having trouble, and it wasn't intermittent, they were compleately
blocked. I just switched the rule from 'synproxy' to 'modulate' and now
they can see our web page.


My best theory is that they are using a wierd NAT server/firewall gizmo
that's doing something that's strictly not OK, but not harmful, and the
firewall is dumping their connections on the floor.  I saw no pflog entries
(all my 'block' rules log), and /var/log/messages didn't have any 'BAD sate'
entries with an IP address from the one blocked user who's IP address I
could verify.

Has anyone else noticed anything like this?

Is it possible to make synproxy make a log entry when it doesn't like a connection? I'd like to know exactly why synproxy didn't like those
connections.


Thank
-Dylan Martin
Seattle, WA