[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: synproxy must be if-bound



On Thu, Nov 17, 2005 at 02:04:54AM +0100, Jonas Davidsson wrote:
> I found this in an old archive while I was in the midst of pulling my hair out trying to figure why synproxy refused to
> work for local services. This of course helped, (I put if-bound in the options for that individual rule)
> but why isn't this mentioned anywhere in the manual yet?
> I'm currently running OpenBSD 3.8-release.
I guess it got lost. Since then, we added the 'set skip on lo' feature
(which is part of the example pf.conf), which resolves this issue, and
others.
Instead of going into the gory details of how loopback filtering breaks
synproxy in this case, I think it would be better to simply recommend
skipping filtering on loopback, in general. The cases where it's
actually useful are equally technical.
The man page in 3.8 contains this part
     set skip on <ifspec>
           List interfaces for which packets should not be filtered.  Packets
           passing in or out on such interfaces are passed as if pf was dis-
           abled, i.e. pf does not process them in any way.  This can be use-
           ful on loopback and other virtual interfaces, when packet filtering
           is not desired and can have unexpected effects.  For example:
                 set skip on lo0
You either didn't spot it at this location or the 'can have unexpected
effects' part was not enough of a warning. Where would you relocate it to
or how would you reword it to make it clearer?
Daniel