Date: Mon, 2 Aug 2010 11:16:37 +0200 From: Daniel Hartmeier <daniel@benzedrine.cx> To: Maciej Milewski <milu@dat.pl> Cc: freebsd-pf@freebsd.org Subject: Re: pf filtering openvpn problem Message-ID: <20100802091637.GB16609@insomnia.benzedrine.cx> In-Reply-To: <201008010132.38555.milu@dat.pl> References: <201008010132.38555.milu@dat.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
The connection is from 10.10.0.8 to 10.0.10.2:22, it comes in on tun0, matching > pass log on tun0 inet proto tcp from 10.10.0.0/24 to 10.0.10.2 flags S/SA keep and then passes out on sk0, but there is no matching rule. Since your default block rule > block drop in log all only applies to incoming (not outgoing) packets, it doesn't match, either. So the SYN packet passes by the implicit default pass rule, which doesn't keep state. That's why the returning SYN+ACK is blocked in on sk0, there is no state. Try adding pass log on sk0 inet proto tcp from 10.10.0.0/24 to 10.0.10.2 flags S/SA keep and maybe remove the 'in' from the default block rule. HTH, Daniel
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100802091637.GB16609>