Re: synproxy on stand-alone webserver

Beavis Sat, 25 Oct 2008 18:12:25 -0700

found the extra rule that's needed.

set state-policy if-bound



fixed it. thanks list!

On Sat, Oct 25, 2008 at 6:26 PM, Beavis <[EMAIL PROTECTED]> wrote:
> I'm trying out the synproxy feature on my test webserver I have the
> following rule.
>
> ext_if = "ne3"
> web_server = "192.168.4.7"
>
> pass in on $ext_if inet proto tcp from any to $web_server port www
> flags S/SA synproxy state
>
> I can't seem to hit the website at all. I ran pfctl -ss and got the
> following result:
>
> [EMAIL PROTECTED] sudo pfctl -ss
> all tcp 192.168.4.7:80 <- 192.168.4.13:22468       PROXY:DST
>
> [EMAIL PROTECTED] sudo pfctl -sa
> FILTER RULES:
> pass in log on ne3 inet proto tcp from any to (ne3) port = www flags
> S/SA synproxy state
> No queue in use
>
> INFO:
> Status: Enabled for 0 days 00:08:53           Debug: Urgent
>
> State Table                          Total             Rate
>  current entries                        0
>  searches                            2233            4.2/s
>  inserts                               13            0.0/s
>  removals                              13            0.0/s
> Counters
>  match                               1832            3.4/s
>  bad-offset                             0            0.0/s
>  fragment                               0            0.0/s
>  short                                  0            0.0/s
>  normalize                              0            0.0/s
>  memory                                 0            0.0/s
>  bad-timestamp                          0            0.0/s
>  congestion                             0            0.0/s
>  ip-option                              0            0.0/s
>  proto-cksum                            0            0.0/s
>  state-mismatch                         0            0.0/s
>  state-insert                           7            0.0/s
>  state-limit                            0            0.0/s
>  src-limit                              0            0.0/s
>  synproxy                             131            0.2/s
>
> TIMEOUTS:
> tcp.first                   120s
> tcp.opening                  30s
> tcp.established           86400s
> tcp.closing                 900s
> tcp.finwait                  45s
> tcp.closed                   90s
> tcp.tsdiff                   30s
> udp.first                    60s
> udp.single                   30s
> udp.multiple                 60s
> icmp.first                   20s
> icmp.error                   10s
> other.first                  60s
> other.single                 30s
> other.multiple               60s
> frag                         30s
> interval                     10s
> adaptive.start             6000 states
> adaptive.end              12000 states
> src.track                     0s
>
> LIMITS:
> states        hard limit    10000
> src-nodes     hard limit    10000
> frags         hard limit     5000
> tables        hard limit     1000
> table-entries hard limit   200000
>
> TABLES:
>
> OS FINGERPRINTS:
> 696 fingerprints loaded
>
>
> are there any other extra rules that i may be missing? im putting this
> up on a stand-alone webserver. I tried changing the synproxy state to
> modulate state. and all is well. I'm running this on 4.4 -current i
> tried the same rule on a stable 4.3 with the same results.
>
>
> any help will be greatly appreciated.
>
> thanks,
> -b

Re: synproxy on stand-alone webserver

Reply via email to