I've been playing around with PF and synproxy - tested out OpenBSD
4.1 -> 4.8, and also tried FreeBSDs port. Alas, it seems that synproxy
doesn't work at all how it's described in the man pages?
internet - switch -> em0 | pf rules | em1 -> switch - out to client
machines.
\-----------------------------/
em0 and em1 have real legitimate internet IPs, as does the client
machine. Packets destined for a specific IP on the client machine are
static routed via the PF firewall machine. This machine is -not- a
bridge, but a forwarding gateway.
pass in on em0 proto tcp from any to any port 80 flags S/SA synproxy state
If I connect to an HTTP process running on the PF filter box itself,
it works correctly (not particularly useful).
If I attempt to connect to an HTTP process running on the client
machine, it does not work unless synproxy is replaced with keep. I've
tried all sorts of skip rules, if-bound rules, rdr rules, etc. The PF
box seems to complete the first part of the handshake - but beyond that
everything dies.
If synproxy can only work on a localized host, the documentation should
be updated to reflect so. Alternately, if there's something specific
required to actually synproxy over a gateway, perhaps this should be
added to the documentation? Is synproxy broken? Who can we convince to
spend some time looking into this and how? Was there -ever- a release
that worked in the manner I desire - I've got old hardware that could be
utilized instead if this is the case. ;)
-Justin
