tech-net archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
pf synproxy doesn't pass to local services
I've run into trouble with pf's "synproxy state" option on
NetBSD-4.0_STABLE. The examples are on i386--haven't had a chance to
try other ports yet.
If I have a pf rule that allows access to a locally-running service,
"synproxy state" proxies the TCP handshake, but the connection is never
passed on to the local service.
For example, to allow incoming SSH on my laptop:
pass in on $ext_if proto tcp to ($ext_if) port ssh synproxy state
No further segments are sent after the client ACK.
If I revert to "modulate state" or just "keep state" incoming connections
to local services succeed.
"synproxy state" works properly if the rule pertains to a redirected
connection. For example, my firewall redirects SSH to an internal host
with:
rdr on $ext_if proto tcp from !($ext_if) to ($ext_if) port ssh \
-> $ssh_host port ssh
pass in on $ext_if proto tcp to $ssh_host port ssh synproxy state
pf synproxy state works correctly with local services on OpenBSD 4.2.
Has anyone else see this?
--
John D. Baker, KN5UKS NetBSD Darwin/MacOS X
jdbaker(at)mylinuxisp(dot)com OpenBSD FreeBSD
BSD -- It just sits there and _works_!
GPG fingerprint: D703 4A7E 479F 63F8 D3F4 BD99 9572 8F23 E4AD 1645
Home |
Main Index |
Thread Index |
Old Index