I'm trying out the synproxy feature on my test webserver I have the following rule.
ext_if = "ne3" web_server = "192.168.4.7" pass in on $ext_if inet proto tcp from any to $web_server port www flags S/SA synproxy state I can't seem to hit the website at all. I ran pfctl -ss and got the following result: [EMAIL PROTECTED] sudo pfctl -ss all tcp 192.168.4.7:80 <- 192.168.4.13:22468 PROXY:DST [EMAIL PROTECTED] sudo pfctl -sa FILTER RULES: pass in log on ne3 inet proto tcp from any to (ne3) port = www flags S/SA synproxy state No queue in use INFO: Status: Enabled for 0 days 00:08:53 Debug: Urgent State Table Total Rate current entries 0 searches 2233 4.2/s inserts 13 0.0/s removals 13 0.0/s Counters match 1832 3.4/s bad-offset 0 0.0/s fragment 0 0.0/s short 0 0.0/s normalize 0 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 0 0.0/s proto-cksum 0 0.0/s state-mismatch 0 0.0/s state-insert 7 0.0/s state-limit 0 0.0/s src-limit 0 0.0/s synproxy 131 0.2/s TIMEOUTS: tcp.first 120s tcp.opening 30s tcp.established 86400s tcp.closing 900s tcp.finwait 45s tcp.closed 90s tcp.tsdiff 30s udp.first 60s udp.single 30s udp.multiple 60s icmp.first 20s icmp.error 10s other.first 60s other.single 30s other.multiple 60s frag 30s interval 10s adaptive.start 6000 states adaptive.end 12000 states src.track 0s LIMITS: states hard limit 10000 src-nodes hard limit 10000 frags hard limit 5000 tables hard limit 1000 table-entries hard limit 200000 TABLES: OS FINGERPRINTS: 696 fingerprints loaded are there any other extra rules that i may be missing? im putting this up on a stand-alone webserver. I tried changing the synproxy state to modulate state. and all is well. I'm running this on 4.4 -current i tried the same rule on a stable 4.3 with the same results. any help will be greatly appreciated. thanks, -b
