From owner-freebsd-pf@FreeBSD.ORG  Mon Aug  2 09:16:47 2010
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 51F071065674
	for <freebsd-pf@freebsd.org>; Mon,  2 Aug 2010 09:16:47 +0000 (UTC)
	(envelope-from dhartmei@insomnia.benzedrine.cx)
Received: from insomnia.benzedrine.cx (106-30.3-213.fix.bluewin.ch
	[213.3.30.106]) by mx1.freebsd.org (Postfix) with ESMTP id 3EEC08FC1D
	for <freebsd-pf@freebsd.org>; Mon,  2 Aug 2010 09:16:44 +0000 (UTC)
Received: from insomnia.benzedrine.cx (localhost.benzedrine.cx [127.0.0.1])
	by insomnia.benzedrine.cx (8.14.1/8.13.4) with ESMTP id o729Gchv012612
	(version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO);
	Mon, 2 Aug 2010 11:16:38 +0200 (MEST)
Received: (from dhartmei@localhost)
	by insomnia.benzedrine.cx (8.14.1/8.12.10/Submit) id o729GbmZ031006;
	Mon, 2 Aug 2010 11:16:37 +0200 (MEST)
Date: Mon, 2 Aug 2010 11:16:37 +0200
From: Daniel Hartmeier <daniel@benzedrine.cx>
To: Maciej Milewski <milu@dat.pl>
Message-ID: <20100802091637.GB16609@insomnia.benzedrine.cx>
References: <201008010132.38555.milu@dat.pl>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <201008010132.38555.milu@dat.pl>
User-Agent: Mutt/1.5.12-2006-07-14
Cc: freebsd-pf@freebsd.org
Subject: Re: pf filtering openvpn problem
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Aug 2010 09:16:47 -0000

The connection is from 10.10.0.8 to 10.0.10.2:22, it comes in
on tun0, matching

> pass log on tun0 inet proto tcp from 10.10.0.0/24 to 10.0.10.2 flags S/SA keep 

and then passes out on sk0, but there is no matching rule.

Since your default block rule

> block drop in log all

only applies to incoming (not outgoing) packets, it doesn't match,
either. So the SYN packet passes by the implicit default pass rule,
which doesn't keep state.

That's why the returning SYN+ACK is blocked in on sk0, there is no
state.

Try adding

pass log on sk0 inet proto tcp from 10.10.0.0/24 to 10.0.10.2 flags S/SA keep 

and maybe remove the 'in' from the default block rule.

HTH,
Daniel