| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20140103131908.GA26268@macbook.localnet> Date: Fri, 3 Jan 2014 13:19:08 +0000 From: Patrick McHardy <kaber@...sh.net> To: Vincent Li <vincent.mc.li@...il.com> Cc: "netdev@...r.kernel.org" <netdev@...r.kernel.org>, netfilter-devel@...r.kernel.org Subject: Re: How to test netfilter SYNPROXY target properly? On Thu, Jan 02, 2014 at 03:30:21PM -0800, Vincent Li wrote: > Hi Patrick > > I should have put this question in user list instead of dev list, but > I couldn't find any user based documentation on how to test the > SYNPROXY target other than the message in the SYNPROXY patch series. > so here is my setup: > > ---packet flow > > client 10.1.72.99 (vlan 1101) <->Linux with SYNPROXY rule - 10.1.72.9 > (vlan 1101) 10.2.72.139 (vlan 1102) <->server 10.2.72.99 > ... > /usr/local/sbin/iptables -A INPUT -i $EXTIF -p tcp --dport 80 -m state > --state UNTRACKED,INVALID -j SYNPROXY --sack-perm --timestamp --mss > 1460 --wscale 5 > 00000000 00000000 > > I think I might miss something and not testing the SYNPROXY properly, any clue? I guess you need to put the SYNPROXY rule in FORWARD instead of INPUT. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists