* Илья Шипицин <chipits...@gmail.com> [2012-08-23 08:44]: > 2012/8/23 Claudio Jeker <cje...@diehard.n-r-g.com> > > On Thu, Aug 23, 2012 at 12:17:04AM +0600, ???? ??????? wrote: > > > why syn proxy is not enabled by default ? > > Because it has bad side-effects. Like accepting a connection before the > > actual server accepted it. So it is hard to signal closed ports back. > any other side-effect ?
claudio stated this way too nice. let me be super clear here: if you are running synproxy permamnently, you are an idiot. why is synproxy there? if you are under a synflood-style attack and need to protect a backend server, it can save your a**. running synproxy to "protect" an OpenBSD machine, more so the local host, is retarded and counterproductive. think through how synproxy works. it accepts a connection on behalf of the destination server. once the 3whs is complete, it tries to open a connection to the backend. now if the backend doesn't take that connection, the pf synproxy box can only drop the already established connection. the semantics of establishing and dropping a connection vs ot taking it from the beginning DO have different semantics. for example, if you use round-robin dns, the client will NOT move on to the next IP address if the connection had been accepted and dropped later. moreover, you are drawing deliberate decisions by the actual daemon, like the listen backlog, close to pointless. it gets worse when some form of loadbalancing is in the picture. synproxy is there because it ca save your a** WHEN YOU ARE UNDER ATTACK. it is not suitable for all-time all-case use, and can't be. it once again comes down to "think before pushing random buttons". -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/