Open no-usernames-left opened 3 months ago
I'm not sure this is supposed to work to be honest, local traffic should already have syncookies enabled (net.inet.tcp.syncookies
), which might make these two options incompatible. Since pf's syncookies don't have any toggles, it might not be possible to exclude part of the traffic for this specific protection.
That sounds like a bug to me. It took hours to troubleshoot why Caddy was working fine for all subdomains except OPNsense's web GUI.
I tried it too and it really happens.
I would have never thought it would be this option. Very obscure. Subscribing to this here.
If its not something that can be fixed I'll add a hint to the docs.
If it's a bug or a feature really depends on the specifications, which aren't very detailed on this particular subject, I'll move this to src
and label it upstream.
At a first glance FreeBSD 14.1 behaves the same in these matters. If pf's syncookies are the right tool to use when the termination point of the traffic is the firewall itself might be a valid question as well (since the tcp stack itself does offer syncookie support anyway). A non stateful inbound rule to prevent state table depletion for a service that terminates on the box might even be more logical choice anyway.
FWIW, my first thought was upstream bug here as well.
Let's check with the upstream and see if they can fix it.
Important notices
Describe the bug Enabling syncookies breaks traffic both originating and terminating on the firewall (such as when you put Caddy in front of the OPNsense web GUI).
To Reproduce
openssl s_client -connect 127.0.0.1:443
(or:8443
; both are affected, showing it's neither a Caddy nor a lighttpd issue)Firewall - Settings - Advanced
, changeEnable syncookies
fromnever (default)
toalways
, click Saveopenssl s_client -connect 127.0.0.1:443
(or:8443
)write:errno=54
and be sadExpected behavior Not this.
Additional context Discovered while troubleshooting this issue.
Environment OPNsense Business 24.4_8 (amd64) os-caddy 1.5.4_1