From owner-freebsd-questions@FreeBSD.ORG  Thu Apr  3 14:39:58 2008
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id F1C7A1065749
	for <questions@freebsd.org>; Thu,  3 Apr 2008 14:39:56 +0000 (UTC)
	(envelope-from norgaard@math.ku.dk)
Received: from mail.math.ku.dk (imf.math.ku.dk [130.225.103.32])
	by mx1.freebsd.org (Postfix) with ESMTP id A4D0F8FC0A
	for <questions@freebsd.org>; Thu,  3 Apr 2008 14:39:56 +0000 (UTC)
	(envelope-from norgaard@math.ku.dk)
Received: from mail.math.ku.dk (localhost [127.0.0.1])
	by mail.math.ku.dk (Postfix) with ESMTP id 88FED43760
	for <questions@freebsd.org>; Thu,  3 Apr 2008 16:39:54 +0200 (CEST)
Received: from shannon.math.ku.dk (shannon.math.ku.dk [130.225.103.12])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mail.math.ku.dk (Postfix) with ESMTP
	for <questions@freebsd.org>; Thu,  3 Apr 2008 16:39:54 +0200 (CEST)
Date: Thu, 3 Apr 2008 16:39:54 +0200 (CEST)
From: Erik Norgaard <norgaard@math.ku.dk>
To: questions@freebsd.org
In-Reply-To: <alpine.LSU.1.00.0804021600290.1425@shannon.math.ku.dk>
Message-ID: <alpine.LSU.1.00.0804031632020.13782@shannon.math.ku.dk>
References: <alpine.LSU.1.00.0804021600290.1425@shannon.math.ku.dk>
User-Agent: Alpine 1.00 (LSU 882 2007-12-20)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII
Cc: 
Subject: Re: packet filter does not keep state
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Apr 2008 14:39:58 -0000

I have investigated further:

The state table adds this entry:

all tcp 192.168.0.254:80 <- 172.17.1.254:50186
     CLOSED:SYN_SENT

Which I suppose reflect the fact that the packet is blocked - I 
don't know how to capture the state table after the packet is 
passed on the way in, but before it is blocked on the way out.

Regarding the bad header, it is interesting, that the header is 
fine on the way in! I had "scrub in all" which I changed to "scrub 
all", but no difference.

Have I found a bug? I'm running

FreeBSD 7.0-STABLE #0: Fri Feb 29 19:44:34 CET 2008 - custom 
kernel

As for NAT, there should be no problem, NAT is not applied since I 
am connecting between directly connected local networks. I have no 
problem accessing the Internet where NAT is applied btw (packets 
are passed by different rules on the way in, and NAT is applied 
after the out-rules above anyway). Anyway, FYI: This is my NAT 
rule:

nat on $srv_if from $wlan_net to !<local_net> -> $srv_if

Regarding the "quick" Vinicius: There is no point in removing that 
rule: First, as you see the pass in rules also have "quick" and 
take effect before as the log shows.

On the out rules: Since I have keep state in the "in" rule a 
state should be created by the in rule it should not be filtered 
by any out rules. Yet this does not happen.

As I mention in the OP I can add a rule for out, but this is not 
how it's supposed to work.

Thanks, Erik