On Thu, Sep 11, 2003 at 07:37:44PM +0200, Ed White wrote: > On Thursday 11 September 2003 16:22, Daniel Hartmeier wrote: > > Oh, the dreaded payload inspection / passing to userland for inspection > > topic. This is basically unrelated to syn proxying, of course you can > > combine both once you have both. But sneaking it through syn-proxy is > > unlogical ;) > > The fact is that syn-proxy manages already two tcp connections. >
I think you missunderstood something. syn-proxy is not a real proxy as in ftp-proxy. The syn-proxy is nothing more than some state table magic so the synproxy state option does not add any overhead. You can compare synproxy with a modulate state rule, with the only difference that the first syn to the server will be delayed. > > 2) application level filtering > > how can syn-proxy talk to a userland program, maybe sharing a buffer ? > This could be done with a rdr and a pass rule. Something like: rdr on $extif proto tcp from any to any port $service -> 127.0.0.1 port $proxy and pass in on lo0 proto tcp from any to 127.0.0.1 port $proxy synproxy state should do the job. What I'm currently pondering is if the syn/ack sent by the synproxy rule will be correctly translated. That's something to either test or ask a pf guru. > > Any idea to solve these 2 problems ? > IMHO there are no problems just missunderstandings. As already said synproxy is just a "keep state" on steroids. -- :wq Claudio
