NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

pf synproxy doesn't pass to local services



I've run into trouble with pf's "synproxy state" option on
NetBSD-4.0_STABLE.  The examples are on i386--haven't had a chance to
try other ports yet.

If I have a pf rule that allows access to a locally-running service,
"synproxy state" proxies the TCP handshake, but the connection is never
passed on to the local service.

For example, to allow incoming SSH on my laptop:

  pass in on $ext_if proto tcp to ($ext_if) port ssh synproxy state

No further segments are sent after the client ACK.

If I revert to "modulate state" or just "keep state" incoming connections
to local services succeed.


"synproxy state" works properly if the rule pertains to a redirected
connection.  For example, my firewall redirects SSH to an internal host
with:

  rdr on $ext_if proto tcp from !($ext_if) to ($ext_if) port ssh \
      -> $ssh_host port ssh

  pass in on $ext_if proto tcp to $ssh_host port ssh synproxy state

pf synproxy state works correctly with local services on OpenBSD 4.2.


Has anyone else see this?

--
John D. Baker, KN5UKS                    NetBSD     Darwin/MacOS X
jdbaker(at)mylinuxisp(dot)com                 OpenBSD            FreeBSD
BSD -- It just sits there and _works_!
GPG fingerprint:  D703 4A7E 479F 63F8 D3F4  BD99 9572 8F23 E4AD 1645



Home | Main Index | Thread Index | Old Index