On Mon, July 26, 2010 6:02 pm, Justin wrote: > ... it's not an if_bridge, thanks. > > > On 7/26/2010 7:05 AM, Denny Lin wrote: > >> On Mon, Jul 26, 2010 at 05:26:21AM -0700, Justin wrote: >> >> >>> Hello all - I've tried searching the list but it seems something is >>> broken and I'm getting 500 errors. Alas, >>> >>> Is there something unique about using synproxy in a gateway style >>> firewall that isn't outlined in the PF manuals? Here's the scenario: >>> >>> Internet -> em0 | pf rules | em1 -> target host. >>> >>> >> Synproxy does not work when on bridges. >> >> >> From pf.conf(5): >> Rules with synproxy will not work if pf(4) operates on a if_bridge(4). >> >> >> > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org" > >
If it helps, you're not the only one with issues. Synproxy is not for general fw use IMHO. I.e.: a friend is running a high traffic website and synproxy slows down the packet flow. Another example, if I remember correctly, is that it doesn't work with packet tagging, another one just mentioned, doesn't work with if_bridge... I gave up on it long time ago (on FreeBSD 6). (of course, everything is subject to different factors, like hw). You could, instead, try ftp-proxy which works great with pf and passive ftp (I really can't say how effective is it against a syn flood, but you can test it). Synproxy is a great addition to pf but, unfortunately, it doesn't lack of bugs. _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
