[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: synproxy must be if-bound



On Wednesday 16 November 2005 07:30 pm, Daniel Hartmeier wrote:
> On Thu, Nov 17, 2005 at 02:04:54AM +0100, Jonas Davidsson wrote:
> > I found this in an old archive while I was in the midst of pulling
> > my hair out trying to figure why synproxy refused to work for local
> > services. This of course helped, (I put if-bound in the options for
> > that individual rule) but why isn't this mentioned anywhere in the
> > manual yet?
> > I'm currently running OpenBSD 3.8-release.
>
> I guess it got lost. Since then, we added the 'set skip on lo'
> feature (which is part of the example pf.conf), which resolves this
> issue, and others.
>
> Instead of going into the gory details of how loopback filtering
> breaks synproxy in this case, I think it would be better to simply
> recommend skipping filtering on loopback, in general. The cases where
> it's actually useful are equally technical.
>
> The man page in 3.8 contains this part
>
>      set skip on <ifspec>
>            List interfaces for which packets should not be filtered. 
> Packets passing in or out on such interfaces are passed as if pf was
> dis- abled, i.e. pf does not process them in any way.  This can be
> use- ful on loopback and other virtual interfaces, when packet
> filtering is not desired and can have unexpected effects.  For
> example:
>
>                  set skip on lo0
>
 
If that is the case, then a filter rule that says:
	pass quick on lo0 all
is essentially useless when the "set skip on lo" option is defined.
Good this was brought up cos I have spotted both used in the same 
example.