Date: Sun, 18 May 2008 08:19:19 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: =?ISO-8859-1?Q?Johan_Str=F6m?= <johan@stromnet.se> Cc: Alex Trull <alex@trull.org>, freebsd-pf@freebsd.org, freebsd-stable <freebsd-stable@freebsd.org>, freebsd-net@freebsd.org Subject: Re: connect(): Operation not permitted Message-ID: <482FD877.6050707@infracaninophile.co.uk> In-Reply-To: <679DB462-75D6-45CC-949C-1BE8E12C22CD@stromnet.se> References: <678A03F5-5E8A-4CF6-90DF-AA9A4F30FBE1@stromnet.se> <1211037564.6326.27.camel@porksoda> <679DB462-75D6-45CC-949C-1BE8E12C22CD@stromnet.se>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] Johan Ström wrote: > drop all traffic)? A check with pfctl -vsr reveals that the actual rule > inserted is "pass on lo0 inet from 123.123.123.123 to 123.123.123.123 > flags S/SA keep state". Where did that "keep state" come from? 'flags S/SA keep state' is the default now for tcp filter rules -- that was new in 7.0 reflecting the upstream changes made between the 4.0 and 4.1 releases of OpenBSD. If you want a stateless rule, append 'no state'. http://www.openbsd.org/faq/pf/filter.html#state Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEAREIAAYFAkgv2HwACgkQ8Mjk52CukIwjCwCfa/ntbIVtKQwooaR/j8aLxKPF ukEAni24eJYNJRCwOLZUQFCd2A1kf+tO =2vt+ -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?482FD877.6050707>