[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: synproxy



On Mon, Jan 24, 2005 at 11:04:07PM +0100, Per-Olov Sjöholm wrote:
> Today I use "set state-policy floating". Which I assume is the default.
Yes, it's the default.
> I am 
> not 100% sure what if-bound means as all sessions going through the fw has a 
> state per interface.
if-bound means that a state entry will match packets only on the
interface the state was created on. floating states can match packets on
any interface. Sometimes, that's intended, like when you have multiple
uplinks and dynamically change routing through them.
> Where can I find more info about it than in "man 
> pf.conf" ?
I don't know of any specific articles, but it must have been explained a
couple of times on the mailing lists. Have you tried google?
> B t w... can I use "(if-bound)" on just that rule containing "synproxy 
> state" ? 
Yes, there's the global default 'set state-policy' and you can use
'if-bound' as an option of 'keep state'.
> And why have this behaviour changed from 3.5 to 3.6? 
> (I have read the link you sent, and you talk a lot about the loopback which 
> isn't the problem)
People wanted the packets generated by synproxy (replaying the TCP
handshake with the server) getting filtered by pf, so they can create
state on internal interfaces.
If one of the connection endpoints is the firewall itself, pf sees
packets on loopback as well, see
  http://marc.theaimsgroup.com/?l=openbsd-tech&m=108914317421586&w=2
Daniel