From owner-freebsd-pf@FreeBSD.ORG Thu Aug 2 15:37:25 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 104B916A419 for ; Thu, 2 Aug 2007 15:37:25 +0000 (UTC) (envelope-from frank@pinky.sax.de) Received: from pinky.frank-behrens.de (unknown [IPv6:2a01:170:1023:0:211:2fff:fec9:c52d]) by mx1.freebsd.org (Postfix) with ESMTP id 5F75B13C4A7 for ; Thu, 2 Aug 2007 15:37:24 +0000 (UTC) (envelope-from frank@pinky.sax.de) Received: from [192.168.20.32] (sun.behrens [192.168.20.32]) by pinky.frank-behrens.de (8.14.1/8.14.1) with ESMTP-MSA id l72Fb69k004919 (version=TLSv1/SSLv3 cipher=DES-CBC3-SHA bits=168 verify=NO); Thu, 2 Aug 2007 17:37:06 +0200 (CEST) (envelope-from frank@pinky.sax.de) Message-Id: <200708021537.l72Fb69k004919@pinky.frank-behrens.de> From: "Frank Behrens" To: Max Laier Date: Thu, 02 Aug 2007 17:37:06 +0200 MIME-Version: 1.0 Priority: normal In-reply-to: <200708021715.25167.max@love2party.net> References: <200708021502.l72F2PCu004207@pinky.frank-behrens.de> X-mailer: Pegasus Mail for Windows (4.31, DE v4.31 R1) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body X-Hashcash: 1:24:070802:freebsd-pf@freebsd.org::9R+10+qvsEDzTBlN:0000000000019YUw X-Hashcash: 1:24:070802:max@love2party.net::Bhl9MYKYuKiPZ6qc:M8Rt Cc: freebsd-pf@freebsd.org Subject: Re: pf eates syn packet? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Aug 2007 15:37:25 -0000 Max Laier wrote on 2 Aug 2007 17:15: > Can you follow up with the complete pf.conf you are using? The "state I'll send you the complete file in a personal mail. > insert failed" error suggests a logic problem in your config (or a missed > PF_TAG_GENERATED somewhere). It seems that the same packet is run > through the firewall twice, generating state on the first run, but not > matching it on the second ... somehow strange. As I wrote in my 1st message the following statements may produce the problem: nat inet from !tun2-address to any port = http -> tun2-address nat on tun0 inet from to any -> tun0-address .... pass out quick on tun0 route-to (tun2 tun2-peer) inet from tun2-address to any keep state pass out quick on tun2 route-to (tun0 tun0-peer) inet from tun0-address to any keep state The reason for this setup is, that I want to use policy based routing. The http port ist an easy to test example. I have 2 DSL/pppoe connections with NAT and tun0 has the default route assigned. I want - route some traffic from LAN (NATed) to tun2 - route some traffic from gateway to tun2 May be there is a better solution? Regards, Frank -- Frank Behrens, Osterwieck, Germany PGP-key 0x5B7C47ED on public servers available.