[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: when to use synproxy (and when not ;)



On Mon, 2005-11-07 at 10:45 +0100, Joel CARNAT wrote:
> Hi,
> 
> On my firewall (not bridge), all accepted incoming requests to my hosted
> services are allowed with 'flags S/SA modulate state'. As my firewall is
> a NAT router, I thought I might use 'synproxy' rather than 'modulate
> state'. Because my firewall is not configured as a bridge, and according
> to the man page, this looks like a good idea.
> 
> Reading OpenBSD pf documentation and reading pf.conf example on google,
> it seems using 'synproxy' is not that automatic.
> 
> So my question is, can I automatically use 'flags S/SA modulate state'
> to allow incoming requests or are there any restrictions (for eg, not
> with ICMP, or not with domain/UDP, ...) ?
If I remember right, the new versions of pf/pfctl interpret "modulate
state" as "keep state" when the former does not make sense (non-TCP).
The only caveat I know of is, don't use "synproxy state" for services
that may not be up all the time, as it will show as a completed and
immediately dropped connection on the client side. "modulate state" does
not have this problem.
-- 
Shawn K. Quinn <[email protected]>