Solved: Re: Shouln't synproxy work with policy filtering?

Fri, 25 Nov 2005 07:12:42 -0800 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

On 2004-07-04 I wrote:



having a policy filtering setup (chapter about tagging in FAQ) like
- -------------------------------------------------------------------
block log all
...
pass in on $ext_if inet proto tcp from any to <bastion_mail_hosts> \
                        port { smtp } tag RED_DMZ synproxy state
...
pass out quick on $dmz_if tagged RED_DMZ keep state
- -------------------------------------------------------------------
or
- -------------------------------------------------------------------
block log all
...
pass in on $ext_if inet proto tcp from any to <bastion_mail_hosts> \
                        port { smtp } tag RED_DMZ keep state
...
pass out quick on $dmz_if tagged RED_DMZ synproxy state
- -------------------------------------------------------------------
does not work either. In both cases no state is created for the running
connection going out on $dmz_if and the return packets coming in there
are dropped.
This is
- - 3.5_stable
- - no NAT involved
- - state-policy if-bound
Here
        http://archives.neohapsis.com/archives/openbsd/2004-07/0321.html
 Daniel wrote
Up until a couple of weeks ago, synproxy would use the PF_GENERATED tag 
 to make packets generated for the server handshake bypass further
 filtering. That was changed for the scenario where the destination
 isn't local, so these packets can create state on a second real
 interface (otherwise the server's SYN+ACK is dropped, unless no
 filtering is done on the second interface at all).

From that text I would have expected my setup to work with synproxy.

What am I doing wrong?
Or is this a permanent/temporary restriction of synroxy?


The first setup above now works perfectly with 3.8 stable!
I did not try the 2nd one.

Many thanks to all developers, who made this happen.!

Synproxy and tagging are real professional features.

Axel

Axel Rau, Frankfurt, Germany                           +49-69-951418-0
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iQEVAwUBQ4cjIcFz9+6bacTRAQKkeAf/Qh2UQAQpWxEXj6QXtIt5LWkR9Udx0jX4
jxSgcyLIOgQ65QsgDOyNEeFqOUI4lSUL1Gy5Lo1xwqsIIxj8Xj0XTmhlcFlHhSzA
YOjc4Ettiju5/3QEWw/+kxA6YnB0jmhCF75CjD7xLs4G8T2n+6RTU5krBbwt6sNg
NJFdsnMDax0IMp1tHU5ubGlIPFt0YtXgfDNeDhfn801R06mpkP7TWEFCzbvH2POx
8MzFNqDQc8j/+XMXVEf7FRVHl0eeUrHvnFzRP34pNfTuHKMVZK3zFBD2dJPyp78x
Y4PwcGHzfN1j5dMeucLp6LRfdVPrpaG0XuJ2XkA5v5qM+4t37md/Jw==
=EcSy
-----END PGP SIGNATURE-----

Reply via email to