Can't use TCP SYN Proxy on CARP interface.

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Can't use TCP SYN Proxy on CARP interface.

Daniel Ouellet
Is there a reason that I don't understand why TCP SYN Proxy wouldn't
work on a CARP interface?

If I run a web server on a physical interface with
pass in on $ext_if proto tcp from any to $web_server port www \
    flags S/SA synproxy state

will work as explain in the FaQ, but if I try to do the same where I run
the web server on a CARP interface it wouldn't accept it. Something like:

pass in on $ext_if proto tcp from any to carp1 port www \
    flags S/SA synproxy state

will not work but this would:

pass in on $ext_if proto tcp from any to carp1 port www

May be I am trying to do something that makes no sense, but I thought it
should work, so that I could in the end use additional filtering and
limits with

pass in on $ext_if proto tcp from any to carp1 port www \
    flags S/SA synproxy state \
(max 200, source-track rule, max-src-nodes 100, max-src-states 3)