On Mon, Jul 26, 2010 at 05:26:21AM -0700, Justin wrote: > When using synproxy state - the connection never completes. If we change > synproxy to keep, everything works fine. Alternately, if the service in > question is running locally on the actual firewall itself, I'll see > state entries show up in pfctl -s doing a proxy and then passing the > connection on to its self - so why doesn't it work in the same manner > when passing on to a host behind the machine? I've tried all sorts of > variations and skipping processing on internal interface, but I just > can't seem to get it to work. All my searching has turned up nothing. > I've also tried state-policy if-bound and there appears to be no change. > Is this a bug? Have I missed something totally obvious?
Concurrently run # tcpdump -nvSi em0 tcp port 80 and # tcpdump -nvSi em1 tcp port 80 and reproduce one connection failure. What do you see? Does the TCP handshake (SYN, SYN+ACK, ACK) complete between client and pf? And the one between pf and the server? Right after the failure, does pfctl -vvss show a state entry for the failed connection? What does it look like? Run pfctl -vvsi before and after the failure. Which counters are increasing? Enable verbose logging (pfctl -x misc), does /var/log/messages show any message possibly related to the failure? Kind regards, Daniel _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
