pf: synproxy + packet tagging

clintpachl_at_gmail.com
Date: 03/31/05 

Date: 30 Mar 2005 18:02:02 -0800

When I use synproxy and tagging together, traffic does not pass through
my firewalll as expected. I just read a post that PF creates an
implicit tag for synproxy rules, thus overwriting any explicit tags.
Consequently, following rules that look for the explicit tag will fail.
Is this true and has it been fixed/patched? Is tagging reliable? I am
using PF on OpenBSD3.6.

I noticed that if I pass traffic in or out of the firewall without
tags, synproxy works, but with about a 3 second delay. I have also
tried combinations of modulate/keep state, if-bound, flags/no flags,
etc, but nothing. If I use modulate instead of synproxy, all of my
rules work just fine, but I don't get the benefits of synproxy. Here is
a simple example of passing traffic from the Internet to the DMZ and
back.

# Incoming traffic destined for an http server on the DMZ
pass in on dc0 proto tcp to port http tag toDmz flags S/SA synproxy
state

# Tagged version: fails to pass traffic to the DMZ
pass out quick on dc1 tagged toDmz modulate state

# Non-tagged version: passes traffic to the DMZ, but with 3s delay
pass out quick on dc1 modulate state

Any help/hints are appreciated, thanks.