On Apr 2, 2005 12:18 AM, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > I'm running 5.3 stable. > I've recently switched from ipfilter to pf to take advantage of the > traffic shaping, and I've run into something I don't understand. > > I read the documentation on the synproxy option and it sounded good to me, > so I replaced my "keep state" rules with "synproxy state". > > After doing this, I noticed that my filesharing programs stopped > downloading. I switched back to "keep state" for the rules that handled > my filesharing traffic and the problem went away. > > Today my brother called and told me that he couldn't get to my website > anymore because his firewall said that my http service was sending a > "fragment attack". I replaced "synproxy state" with "keep state" for the > rules pertaining to httpd and the problem went away. > > Specifically, the http traffic rule was (formatted): > pass in quick on $ext_if proto tcp from any to any port 80 flags S/SAFR > synproxy state queue(http_out,ack_out) > > Having tried a few other firewalls in the past, I know that some of them > don't like fragmented packets at all. > > This week's events make me believe that pf's synproxy option is causing my > server to send out fragments, and those fragments aren't well-received. > Is this normal with synproxy? Am I misusing synproxy? Is this just a > coincidence? >
In http://archives.neohapsis.com/archives/openbsd/2005-03/2760.html somebody reported a similar problem. Maybe you could try his "solution" by leaving out "flags S/SAFR" =Adriaan= _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"