Maybe ask the operating system if the port is "bound" before completing
the handshake with the client, otherwise send RST to the client?
askin before isn't possible. you do not know that the backend will
accept a connection based on a previous connection being accepted. and
doing a check before replying with a syn defeats the prupose anyway.
Thanks for the reply. But I don't _completely_ understand. I don't know
too much about operating system calls, but let's say that I have a program
that is bound to TCP port 8080 on my local machine (same machine that is
running the pf in question). Let's say I launch
another program that tries to listen on this port as well. Of course it
will fail with "cannot bind to port" or something like that. So there
_is_ something the operating system tells us regarding a
port being bound on the local system, and this [presumably] does not
require any packets to be sent. Could we do a similar check before
completing a handshake with a client via synproxy?
OK I may already know the reason why this isn't an elegant idea, and
correct me if I'm wrong. The synproxy could be proxying a connection to
another host (meaning my service listening on port 8080 is running on a
_different_ host than the pf machine). For example, let's say pf is
configured to forward port
8080 to an internal machine (like 192.168.0.2) that is running a service
on port 8080. Then, there is no way of predicting whether there is a
service running on port 8080 on that internal machine. Am I thinking
along clear lines here or am I missing something?
And thank you for all your answers. By the way I think this mailing list
is kind of dead because it's near impossible to get subscribed to it. I
had to try really really hard to get subscribed; I wasn't able to do it
from my Gmail account for example, and just following the online
instructions wasn't sufficient to get subscribed even with _this_ account.
If you
guys care about getting more subscribers to this list, you might want to
follow the direction here: http://www.benzedrine.cx/mailinglist.html and
double check that things work correctly (for example little things like
omitting the subject line in the email to subscribe will reject the
email, also I think you need to send an email to a majordomo or something;
I actually forget the steps needed to get subscribed, but it was very
difficult indeed).
I hope you "guys" (by "guys" I most likely mean "one or two of you, the
ones who have been very helpfully replying") don't mind all of my
questions.
In fact I have 2 more pf questions (answers to which I am unable to find
anywhere on the internet), and unless you object I would like to send out
2 more emails with those questions at some point in the future.
