On Tue, Oct 02, 2012 at 09:50:36PM +1000, David Diggles wrote:
> but is this clear for newbies who read all the faqs?
Well, it's not default. And almost often that is a sign the option is
not desirable for a typical setup.OB
-0tto
>
> On Tue, Oct 02, 2012 at 01:17:03PM +0200, Henning Brauer wrote:
> > * ???????? ?????????????? <chipits...@gmail.com> [2012-08-23 08:44]:
> > > 2012/8/23 Claudio Jeker <cje...@diehard.n-r-g.com>
> > > > On Thu, Aug 23, 2012 at 12:17:04AM +0600, ???? ??????? wrote:
> > > > > why syn proxy is not enabled by default ?
> > > > Because it has bad side-effects. Like accepting a connection before the
> > > > actual server accepted it. So it is hard to signal closed ports back.
> > > any other side-effect ?
> >
> > claudio stated this way too nice.
> >
> > let me be super clear here: if you are running synproxy permamnently,
> > you are an idiot.
> >
> > why is synproxy there? if you are under a synflood-style attack and
> > need to protect a backend server, it can save your a**.
> > running synproxy to "protect" an OpenBSD machine, more so the local
> > host, is retarded and counterproductive.
> >
> > think through how synproxy works. it accepts a connection on behalf of
> > the destination server. once the 3whs is complete, it tries to open a
> > connection to the backend. now if the backend doesn't take that
> > connection, the pf synproxy box can only drop the already established
> > connection. the semantics of establishing and dropping a connection vs
> > ot taking it from the beginning DO have different semantics. for
> > example, if you use round-robin dns, the client will NOT move on to
> > the next IP address if the connection had been accepted and dropped
> > later. moreover, you are drawing deliberate decisions by the actual
> > daemon, like the listen backlog, close to pointless. it gets worse
> > when some form of loadbalancing is in the picture.
> >
> > synproxy is there because it ca save your a** WHEN YOU ARE UNDER
> > ATTACK. it is not suitable for all-time all-case use, and can't be.
> >
> > it once again comes down to "think before pushing random buttons".
> >
> > --
> > Henning Brauer, h...@bsws.de, henn...@openbsd.org
> > BS Web Services, http://bsws.de, Full-Service ISP
> > Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully
> > Managed
> > Henning Brauer Consulting, http://henningbrauer.com/
