On Wednesday 23 November 2005 14:42, Alex wrote: > In contrast, looks like synproxy is _not_ working in 6-stable from > November, 22nd. > The same ruleset for inbound traffic is working successfully on > 5.4-STABLE. > The workaround I've done is a change 'synproxy' option to 'modulate' > Any ideas and info?
There has been a change in how synproxy works. With OpenBSD's revision 1.437 of pf.c: http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf.c#rev1.437 the secondary handshake no longer passes unconditionally, but must be allowed by a separate rule. Something like: pass on $int_if proto tcp from any to $synproxied flags S/SA should do. Can you please check and confirm? I am afraid this difference in behavior from normal "keep/modulate" vs. "synproxy" is underdocumented - suggestions appreciated. -- /"\ Best regards, | [EMAIL PROTECTED] \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED] / \ ASCII Ribbon Campaign | Against HTML Mail and News
pgpOKPimb691n.pgp
Description: PGP signature
