On Thursday 11 September 2003 20:44, Claudio Jeker wrote:
> > The fact is that syn-proxy manages already two tcp connections.
>
> I think you missunderstood something. syn-proxy is not a real proxy as in
> ftp-proxy. The syn-proxy is nothing more than some state table magic so
> the synproxy state option does not add any overhead. You can compare
> synproxy with a modulate state rule, with the only difference that the
> first syn to the server will be delayed.
No, syn-proxy manages 2 different tcp connections. ISN define a connection.
Synproxy has 3 phases:
1) 3way handshake with client
2) 3way handshake with server
3) modulate state
Adding a hook point for a software between point 1 and 2 is what I'm talking
about. Clearly this means _modify_ syn-proxy or add another piece of code
similar to it.
> > how can syn-proxy talk to a userland program, maybe sharing a buffer ?
>
> This could be done with a rdr and a pass rule.
> Something like:
> rdr on $extif proto tcp from any to any port $service -> 127.0.0.1 port
> $proxy and
> pass in on lo0 proto tcp from any to 127.0.0.1 port $proxy synproxy state
I've already talked about this.
It's not the same thing I'm asking:
1) you have a valid service on your firewall
2) you have 3 tcp connections per client
Ed
