From owner-freebsd-pf@FreeBSD.ORG Tue Jun 27 10:40:02 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 92A5E16A40D for ; Tue, 27 Jun 2006 10:40:02 +0000 (UTC) (envelope-from siseci@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.188]) by mx1.FreeBSD.org (Postfix) with ESMTP id 49E2843D7B for ; Tue, 27 Jun 2006 10:39:51 +0000 (GMT) (envelope-from siseci@gmail.com) Received: by nf-out-0910.google.com with SMTP id c29so1038700nfb for ; Tue, 27 Jun 2006 03:39:50 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:user-agent:mime-version:to:subject:content-type:content-transfer-encoding; b=qOYiIRk8ekqejJgAiJ91bZRJArrmFXDEYqHlTSQIThuT3Z07BaF8VqLGuxn0usgj0cs5xucfFiZT4fclbjvXLQ4WAMkCve72E2nAAqsmWte4VFW+TGu7PSm6Z/T82yQm7Tpyy2GyCPDW+Ugw0yJ8ExqRFLYCIuQQjjKCQoXi5hY= Received: by 10.49.64.2 with SMTP id r2mr5503044nfk; Tue, 27 Jun 2006 03:39:50 -0700 (PDT) Received: from ?192.168.4.36? ( [193.140.74.2]) by mx.gmail.com with ESMTP id l21sm6639117nfc.2006.06.27.03.39.49; Tue, 27 Jun 2006 03:39:50 -0700 (PDT) Message-ID: <44A10AED.6040606@gmail.com> Date: Tue, 27 Jun 2006 13:39:41 +0300 From: "N. Ersen SISECI" User-Agent: Mozilla Thunderbird 1.5.0.4 (Windows/20060516) MIME-Version: 1.0 To: freebsd-pf@FreeBSD.org Content-Type: text/plain; charset=ISO-8859-9 Content-Transfer-Encoding: 7bit Cc: Subject: Keep State is not working on 6.1-RELAESE-p1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jun 2006 10:40:02 -0000 Hi, There seems to be a problem with the "keep state" handling with my pf on FreeBSD 6.1-RELEASE-p1. My first rule is pass in all with keep state. But the packets do not seem to be able pass out from the other interface. If i change the last block's to "pass" everything works fine. It seems that the state table is always on if-bound'ed??? Is there a solution for this problem, or do I miss a configuration with kernel, pf, pf.conf etc... ??? or is this a bug :) Please help... Here is my rules, set state-policy floating pass in log quick proto tcp from any to any keep state block in log quick all block out log quick all These are pf log lines; 2006-06-27 15:22:27.188969 rule 0/0(match): pass in on bge0: 192.168.9.99.60248 > 10.0.0.2.22: S, cksum 0xc573 2006-06-27 15:22:27.188986 rule 2/0(match): block out on em0: 192.168.9.99.60248 > 10.0.0.2.22: S, cksum 0xc573 N. Ersen SISECI http://www.enderunix.org EnderUNIX SDT @ Turkey