[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-pf
Subject:    Re: when to use synproxy (and when not ;)
From:       "Shawn K. Quinn" <skquinn () speakeasy ! net>
Date:       2005-11-14 17:25:25
Message-ID: 1131989126.5728.24.camel () xevious ! platypuslabs ! org
[Download RAW message or body]

On Mon, 2005-11-07 at 10:45 +0100, Joel CARNAT wrote:
> Hi,
> 
> On my firewall (not bridge), all accepted incoming requests to my hosted
> services are allowed with 'flags S/SA modulate state'. As my firewall is
> a NAT router, I thought I might use 'synproxy' rather than 'modulate
> state'. Because my firewall is not configured as a bridge, and according
> to the man page, this looks like a good idea.
> 
> Reading OpenBSD pf documentation and reading pf.conf example on google,
> it seems using 'synproxy' is not that automatic.
> 
> So my question is, can I automatically use 'flags S/SA modulate state'
> to allow incoming requests or are there any restrictions (for eg, not
> with ICMP, or not with domain/UDP, ...) ?

If I remember right, the new versions of pf/pfctl interpret "modulate
state" as "keep state" when the former does not make sense (non-TCP).

The only caveat I know of is, don't use "synproxy state" for services
that may not be up all the time, as it will show as a completed and
immediately dropped connection on the client side. "modulate state" does
not have this problem.

-- 
Shawn K. Quinn <skquinn@speakeasy.net>

[prev in list] [next in list] [prev in thread] [next in thread]