On 2021-11-10, Lyndon Nerenberg (VE7TFX/VE6BBM) <lyn...@orthanc.ca> wrote: > I'm trying to get synproxy working on a firewall, using the following > rule: > > pass quick proto tcp from any to $front_smtp4 port 25 synproxy state > > The firewall accepts the connection on the outside interface, but > I don't see (tcpdump) any attempt to complete the connectiom on the > inside interface. The state table shows a pair of entries with state > PROXY:SRC and DST:PROXY which line up with the connection, but all I > get it dead air. > > This seems like it should 'just work'. Is there something obvious > I'm missing? I can give more detailed info (pf rules, ifconfig) > offline for anyone interested in helping out.
There are some strange issues with synproxy, for example if you have pass in quick proto tcp to 157.240.1.35 synproxy state and try an http get to that address (one of facebook's), the connection doesn't fully establish, but things are ok with various other addresses (say 129.128.5.194). No idea if what you're seeing is related to that or it's something completely different, but I am not finding synproxy to work correctly in all cases. (I originally ran into the problem after adaptive syncookies were triggered due to high number of states, then I found I was able to replicate it on demand by forcing synproxy)..
