I seem to either not understand or having the following synproxy issue: A client (172.16.2.60) behind a firewall (nat, 4.4) does a http connect to cds.sun.com (72.5.239.134), requesting the header only:
$ lynx -dump -head http://cds.sun.com The matching pf rule is: pass in log quick inet proto tcp to port http synproxy state (with default pass out policy) However, the http connection stalls. Changing the above rule to: pass in log quick inet proto tcp to port http modulate state "fixes" the stall and the header is transmitted by the webserver just fine. I have captured both sessions into two individual tcpdump files that might be investigated further, if that's helpful: https://www.ini.uzh.ch/~stephan/out.synproxy https://www.ini.uzh.ch/~stephan/out.modulate Of course I tried to search the archives but I could only find old or irrelevant posts. Switching synproxy off in this case isn't a problem, but I'd like to understand why synproxy wouldn't work in this szenario or what triggers it to fail. Thanks, -- Stephan A. Rickauer ----------------------------------------------------------- Institute of Neuroinformatics Tel +41 44 635 30 50 University / ETH Zurich Sec +41 44 635 30 52 Winterthurerstrasse 190 Fax +41 44 635 30 53 CH-8057 Zurich Web www.ini.uzh.ch