| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 3 Jan 2014 09:24:15 -0800 From: Vincent Li <vincent.mc.li@...il.com> To: Patrick McHardy <kaber@...sh.net> Cc: "netdev@...r.kernel.org" <netdev@...r.kernel.org>, netfilter-devel@...r.kernel.org Subject: Re: How to test netfilter SYNPROXY target properly? Thanks Patrick, put SYNPROXY in FORWARD did it. On Fri, Jan 3, 2014 at 5:19 AM, Patrick McHardy <kaber@...sh.net> wrote: > On Thu, Jan 02, 2014 at 03:30:21PM -0800, Vincent Li wrote: >> Hi Patrick >> >> I should have put this question in user list instead of dev list, but >> I couldn't find any user based documentation on how to test the >> SYNPROXY target other than the message in the SYNPROXY patch series. >> so here is my setup: >> >> ---packet flow >> >> client 10.1.72.99 (vlan 1101) <->Linux with SYNPROXY rule - 10.1.72.9 >> (vlan 1101) 10.2.72.139 (vlan 1102) <->server 10.2.72.99 >> ... >> /usr/local/sbin/iptables -A INPUT -i $EXTIF -p tcp --dport 80 -m state >> --state UNTRACKED,INVALID -j SYNPROXY --sack-perm --timestamp --mss >> 1460 --wscale 5 >> 00000000 00000000 >> >> I think I might miss something and not testing the SYNPROXY properly, any clue? > > I guess you need to put the SYNPROXY rule in FORWARD instead of INPUT. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists