-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi all,
having a policy filtering setup (chaper about tagging in FAQ) like
- -------------------------------------------------------------------
block log all
..
pass in on $ext_if inet proto tcp from any to <bastion_mail_hosts> \
port { smtp } tag RED_DMZ synproxy state
..
pass out quick on $dmz_if tagged RED_DMZ keep state
- -------------------------------------------------------------------
or
- -------------------------------------------------------------------
block log all
..
pass in on $ext_if inet proto tcp from any to <bastion_mail_hosts> \
port { smtp } tag RED_DMZ keep state
..
pass out quick on $dmz_if tagged RED_DMZ synproxy state
- -------------------------------------------------------------------
does not work either. In both cases no state is created for the running
connection going out on $dmz_if and the return packets coming in there
are dropped.
This is
- - 3.5_stable
- - no NAT involved
- - state-policy if-bound
Here
http://archives.neohapsis.com/archives/openbsd/2004-07/0321.html
Daniel wrote
Up until a couple of weeks ago, synproxy would use the PF_GENERATED tag
to make packets generated for the server handshake bypass further
filtering. That was changed for the scenario where the destination
isn't local, so these packets can create state on a second real
interface (otherwise the server's SYN+ACK is dropped, unless no
filtering is done on the second interface at all).
From that text I would have expected my setup to work with synproxy.
What am I doing wrong?
Or is this a permanent/temporary restriction of synroxy?
Axel
Axel Rau, Frankfurt, Germany Phone:49-69-951418-0, Fax: -55
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)
iD8DBQFA/6R8bMW2mynpndYRAnXyAKCbJJJe7VqpvF0bJNIM6kuNRKkCtACfVc9P
CBn8FdZlEgAD3EW0sBnACpI=
=Cg9p
-----END PGP SIGNATURE-----
