Hi all, I want to test synproxy rules on a gateway, the rule is as below:
pass in log on em1 inet proto tcp from 192.168.10.0/24 to any port = 80 flags S/SA synproxy state (max 10000, source-track rule, max-src-states 20, max-src-conn-rate 10/1, max-src-nodes 10000) IP setting: PC IP: 192.168.10.66 Spooled IP: 192.168.10.4 gateway IP: 192.168.10.1 I start DoS tool from PC with spooled IP to connect to gateway's port 80, and pf create a state(pfctl -ss -vvv), like this: em1 tcp 192.168.10.1:80 <- 192.168.10.4:80 PROXY:SRC [0 + 1] [674719801 + 1062639422] age 00:00:05, expires in 00:00:00, 0:0 pkts, 0:0 bytes, rule 0, source-track but no ACK has noticed according to tcpdump( -i em1 port 80), as below: 04:12:00.991433 192.168.10.4.80 > 192.168.10.33.80: S 674719801:674719801(0) win 16384 04:12:00.991496 192.168.10.33.80 > 192.168.10.4.80: S 772409234:772409234(0) ack 674719802 win 0 <mss 64> (DF) [tos 0x10] 04:12:00.991555 192.168.10.4.80 > 192.168.10.33.80: S 674719801:674719801(0) win 16384 04:12:00.991569 192.168.10.33.80 > 192.168.10.4.80: S 772409234:772409234(0) ack 674719802 win 0 <mss 64> (DF) [tos 0x10] 04:12:00.991805 192.168.10.4.80 > 192.168.10.33.80: S 674719801:674719801(0) win 16384 04:12:00.991817 192.168.10.33.80 > 192.168.10.4.80: S 772409234:772409234(0) ack 674719802 win 0 <mss 64> (DF) [tos 0x10] 04:12:00.991930 192.168.10.4.80 > 192.168.10.33.80: S 674719801:674719801(0) win 16384 04:12:00.991942 192.168.10.33.80 > 192.168.10.4.80: S 772409234:772409234(0) ack 674719802 win 0 <mss 64> (DF) [tos 0x10] So my question is why PF create state while the first 3-way handshakes didn't complete? What is right usage of synproxy rule to protect port from DoS attack? TIA Frank
