but is this clear for newbies who read all the faqs?
On Tue, Oct 02, 2012 at 01:17:03PM +0200, Henning Brauer wrote:
> * ???????? ?????????????? <chipits...@gmail.com> [2012-08-23 08:44]:
> > 2012/8/23 Claudio Jeker <cje...@diehard.n-r-g.com>
> > > On Thu, Aug 23, 2012 at 12:17:04AM +0600, ???? ??????? wrote:
> > > > why syn proxy is not enabled by default ?
> > > Because it has bad side-effects. Like accepting a connection before the
> > > actual server accepted it. So it is hard to signal closed ports back.
> > any other side-effect ?
>
> claudio stated this way too nice.
>
> let me be super clear here: if you are running synproxy permamnently,
> you are an idiot.
>
> why is synproxy there? if you are under a synflood-style attack and
> need to protect a backend server, it can save your a**.
> running synproxy to "protect" an OpenBSD machine, more so the local
> host, is retarded and counterproductive.
>
> think through how synproxy works. it accepts a connection on behalf of
> the destination server. once the 3whs is complete, it tries to open a
> connection to the backend. now if the backend doesn't take that
> connection, the pf synproxy box can only drop the already established
> connection. the semantics of establishing and dropping a connection vs
> ot taking it from the beginning DO have different semantics. for
> example, if you use round-robin dns, the client will NOT move on to
> the next IP address if the connection had been accepted and dropped
> later. moreover, you are drawing deliberate decisions by the actual
> daemon, like the listen backlog, close to pointless. it gets worse
> when some form of loadbalancing is in the picture.
>
> synproxy is there because it ca save your a** WHEN YOU ARE UNDER
> ATTACK. it is not suitable for all-time all-case use, and can't be.
>
> it once again comes down to "think before pushing random buttons".
>
> --
> Henning Brauer, h...@bsws.de, henn...@openbsd.org
> BS Web Services, http://bsws.de, Full-Service ISP
> Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully
> Managed
> Henning Brauer Consulting, http://henningbrauer.com/
