I got a reply on the FreeBSD lists suggesting the firewall itself
-had- to be the default gateway for the client;
Ahh. That explains it then. I was operating under the assumption that
the machine doing the synproxy would forge the reply such that the
TARGET host would reply to the synproxy box, not its default gateway.
As in 1.2.3.4 request to client 5.5.5.5 via -> 2.3.4.5, forged 2.3.4.5
request to 5.5.5.5, 5.5.5.5 replies to 2.3.4.5, 2.3.4.5 no long proxies
state and allows 1.2.3.4 and 5.5.5.5 to talk to each other directly.
The topology is as such:
internet - switch -> em0 | pf | em1 -> switch -> client
\--------------------------/
So the clients default gateway out is the switch, which doesn't send
all traffic back over the PF machine. From what you've described, the
PF synproxy box would literally have to be inline and the default gateway.
internet - em0 | pf | em1 -> client
Is this the case? Would it not be possible to add this functionality
in some way?
On 7/28/2010 11:42 AM, Justin wrote:
Well, only one interface is set to be a default gateway out, the
other has an IP with no gateway, but a manual route entry for how to
reach the client machine. I've also tried applying the synproxy rules
on the interface facing the client heading outbound to no avail.
On 7/28/2010 5:26 AM, Tom Murphy wrote:
Synproxy only appears to work on the interface with the default gateway
(egress). I could never make it work on a firewall with more than 1
external interface properly.
I don't know if this is a bug or by design.
Tom
