niXforums Forum Index
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   PreferencesPreferences   Log in to check your private messagesLog in to check your private messages   Log inLog in 
·  nixdoc.net ·  man pages ·  Linux HOWTOs ·  FreeBSD Tips ·  Forums
navigation Forum index » *nix » BSD » OpenBSD
pf: synproxy + packet tagging
Post new topic   Reply to topic Page 1 of 1 [2 Posts] View previous topic :: View next topic
Author Message
Daniel Hartmeier
*nix forums beginner


Joined: 11 Mar 2005
Posts: 12

PostPosted: Mon Apr 04, 2005 8:58 am    Post subject: Re: pf: synproxy + packet tagging Reply with quote
On 30 Mar 2005 18:02:02 -0800, clintpachl@gmail.com wrote:

Quote:
When I use synproxy and tagging together, traffic does not pass through
my firewalll as expected. I just read a post that PF creates an
implicit tag for synproxy rules, thus overwriting any explicit tags.
Consequently, following rules that look for the explicit tag will fail.
Is this true and has it been fixed/patched? Is tagging reliable? I am
using PF on OpenBSD3.6.

These are separate tags, neither one overwriting the other. So your
problem is not caused by overwritten tags.

There have been several changes to the way pf filters its own
generated packets (like those produced by synproxy), I suggest
you update to -current or a new -stable.

Then, add 'set state-policy if-bound' and retry.

Daniel
Back to top
Guest
PostPosted: Thu Mar 31, 2005 12:02 am    Post subject: pf: synproxy + packet tagging Reply with quote
When I use synproxy and tagging together, traffic does not pass through
my firewalll as expected. I just read a post that PF creates an
implicit tag for synproxy rules, thus overwriting any explicit tags.
Consequently, following rules that look for the explicit tag will fail.
Is this true and has it been fixed/patched? Is tagging reliable? I am
using PF on OpenBSD3.6.

I noticed that if I pass traffic in or out of the firewall without
tags, synproxy works, but with about a 3 second delay. I have also
tried combinations of modulate/keep state, if-bound, flags/no flags,
etc, but nothing. If I use modulate instead of synproxy, all of my
rules work just fine, but I don't get the benefits of synproxy. Here is
a simple example of passing traffic from the Internet to the DMZ and
back.

# Incoming traffic destined for an http server on the DMZ
pass in on dc0 proto tcp to port http tag toDmz flags S/SA synproxy
state

# Tagged version: fails to pass traffic to the DMZ
pass out quick on dc1 tagged toDmz modulate state

# Non-tagged version: passes traffic to the DMZ, but with 3s delay
pass out quick on dc1 modulate state

Any help/hints are appreciated, thanks.
Back to top
Google
Back to top
Display posts from previous:   
Post new topic   Reply to topic Page 1 of 1 [2 Posts] View previous topic :: View next topic
The time now is Thu Jan 08, 2009 1:23 pm | All times are GMT
navigation Forum index » *nix » BSD » OpenBSD
Jump to:  

Similar Topics
Topic Author Forum Replies Last Post
No new posts Socket packet Marco C 10 Wed Jul 19, 2006 8:22 am
No new posts receive (temporarily) from all interfaces with raw packet... Norbert van Bolhuis system 3 Wed Jul 12, 2006 1:47 pm
No new posts Squid splitting SSL Closure Alert packet Ravi Malghan Squid 0 Mon Jul 03, 2006 4:45 pm
No new posts RFC: raw 802.11 packet transmit Sam Leffler Architecture 0 Mon Jul 03, 2006 3:52 am
No new posts Help: What's the raw packet socket? bg2aw@126.com networking 1 Fri Jun 30, 2006 9:00 am

Mortgages uk | Debt Consolidation | Debt Consolidation | Bankruptcy | Debt Consolidation
Copyright © 2004-2005 DeniX Solutions SRL
 
Other DeniX Solutions sites: Unix/Linux blog |  electronics forum |  medicine forum |  science forum | 
Privacy Policy


Powered by phpBB © 2001, 2005 phpBB Group

[ Time: 0.2435s ][ Queries: 20 (0.1700s) ][ GZIP on - Debug on ]