From owner-freebsd-pf@FreeBSD.ORG Thu Feb 28 04:02:09 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AB372106566B for ; Thu, 28 Feb 2008 04:02:09 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: from rv-out-0910.google.com (rv-out-0910.google.com [209.85.198.186]) by mx1.freebsd.org (Postfix) with ESMTP id 2FB0B8FC1E for ; Thu, 28 Feb 2008 04:02:08 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: by rv-out-0910.google.com with SMTP id g13so2281793rvb.43 for ; Wed, 27 Feb 2008 20:02:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=+LeTAu9JkMSiyGuetSR707uYaAt/0j9qZcPG1AuOD1Y=; b=TUBlEMGnVuvOlSnFebg+v621N9n1DKgx50ZOejwE9EPjiq4AQ7V1yXeZ1u9sA/ytGaDVAN76Qwdb+9DUTHfRh3SJPfNKu3cUIRyYOdFSEnS32myXUejT7JJXJ2ozF49lwZBZh/b4/9JpiW9S+gL/R39MKeynAHIGgzV1MuWNrwc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=on5Nc0zi+jvjlpcSE0OWvr6kqj83xcyPmnRn8I6MdIusD/P4mZk8667srv19G57dO3AeFv3wQULbemZSDv3d9Tj5H+Z5ZemGONdfw+d52vkfiKQ44ikvFeN10qvOTKNSOC+erPSfVusi7XJuQ8C5iPDo/+C2fUGn8zVROfKCsKs= Received: by 10.140.132.8 with SMTP id f8mr5157346rvd.198.1204171328139; Wed, 27 Feb 2008 20:02:08 -0800 (PST) Received: by 10.141.51.9 with HTTP; Wed, 27 Feb 2008 20:02:08 -0800 (PST) Message-ID: <1635d77d0802272002w6aaaa0ect164a64e136b969f5@mail.gmail.com> Date: Wed, 27 Feb 2008 23:02:08 -0500 From: "Vadym Chepkov" To: freebsd-pf@freebsd.org In-Reply-To: <1635d77d0802271346g4cf02b8et8bc74d16f6e97e45@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <1635d77d0802271143u2aeb0b13we310ea1a611afaa8@mail.gmail.com> <6e6841490802271310o3e5976a4gef2cb507087c01b@mail.gmail.com> <1635d77d0802271346g4cf02b8et8bc74d16f6e97e45@mail.gmail.com> Subject: Re: floating keep state X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Feb 2008 04:02:09 -0000 I created a lab configuration with the minimum settings dns server has ip 10.10.10.1 client has ip 10.10.11.254 between them is 6.3-RELEASE-p1 with 10.10.10.6 and 10.10.11.1 interfaces here is /etc/pf.conf set block-policy return set state-policy floating pass in log quick proto udp from any to 10.10.10.1 port domain keep state block in log from any to 10.10.11.254 Now I make nslookup on the client, here is the output of tcpdump -n -l -e -i pflog0 22:58:14.296303 rule 0/0(match): pass in on xl1: 10.10.11.254.32772 > 10.10.10.1.53: 45616+[|domain] 22:58:14.296965 rule 1/0(match): block in on xl0: 10.10.10.1.53 > 10.10.11.254.32772: 45616*-[|domain] State is #pfctl -ss self udp 10.10.10.1:53 <- 10.10.11.254:32772 NO_TRAFFIC:SINGLE My question is, why the reply packet was blocked?