From owner-freebsd-pf@FreeBSD.ORG Tue Mar 31 21:30:21 2015 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 178B855D for ; Tue, 31 Mar 2015 21:30:21 +0000 (UTC) Received: from plane.gmane.org (plane.gmane.org [80.91.229.3]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C7100AD3 for ; Tue, 31 Mar 2015 21:30:20 +0000 (UTC) Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1Yd3jX-0006xH-7z for freebsd-pf@freebsd.org; Tue, 31 Mar 2015 23:30:03 +0200 Received: from gly.ftfl.ca ([129.173.34.203]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 31 Mar 2015 23:30:03 +0200 Received: from jrm by gly.ftfl.ca with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 31 Mar 2015 23:30:03 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-pf@freebsd.org From: Joseph Mingrone Subject: tcpdump of pflog to show pid Date: Tue, 31 Mar 2015 18:28:11 -0300 Lines: 36 Message-ID: <86a8ysvous.fsf@gly.ftfl.ca> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha1; protocol="application/pgp-signature" X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: gly.ftfl.ca User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.4 (berkeley-unix) Cancel-Lock: sha1:r6K49ngcWzIltNYfuMxGsf45I/4= X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 Mar 2015 21:30:21 -0000 --=-=-= Content-Type: text/plain Hi, On OpenBSD, a tcpdump of the pflog can show the pid for locally generated traffic. PFLOG(4) sugggests FreeBSD's pflog also records this information. Is that the case? Can FreeBSD's tcpdump show this information? I see a similar question from 2008, but no response. https://lists.freebsd.org/pipermail/freebsd-pf/2008-April/004307.html Joseph --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJVGxFrAAoJEDakDIOw1u+eCuoQAJPvwi06Gi3CtF/oz+xmwURU r+RAHica0vIxhIlrDtD+QLpQ1j26GAFTj8rAKgkgkRMQCHIbJRGlpn95FqgEt1Om Ei2KB305CpA6uwVYZ9jkyTfGy1MCJlUKH2ekNo8Gdt3yD218PfsZl2k0qpx8NQo9 rC64874lRK6S5DhS9G4CW/IIf/QgZrpy59soc7JJXd3u1WovDwb03zQeDx9VPTPP wvZ2I5zPAjSebAoGRji6RUJEI33WR9mPfxwdUCkVfJE9yZQUaAWKghip6bkzOKFC 1nw2ttWwDLcDrxLfwf4wIUotnS2tAG584ZuyFQ367Tc48uWRgbPbqpA8m7mqbKRd 5Si0rWMd4LvqX/2Cv50LkVFf56jfPBa3LNlAZfAknemTKOWBFPGIK6cI45BWJ9bA N4+pkpOHwO3L2FlL8/PcQwC496SljzEyyAJA6m8lzWJ94xwIGXx9ny4XFboDiX6t 4LLbuamhYEbM4QXkuicYrORf/KMVFudTBcHCdryf1u8lks+WV7KI9fSOatWE3w3I GIUPojzxA4QwiqPM0IRgy63T/TTfxae5Y0lBYrP+4Y3etWiFadIy2rni1voODvD0 t1ujoH5Z2PMo6kRFURkk9X9wVgfsNgvrFNqGluNATSUZX+V9kcKp7Ruw4q/btvdq sInvgaxMjlbSqPMKi8+e =x9Lp -----END PGP SIGNATURE----- --=-=-=-- From owner-freebsd-pf@FreeBSD.ORG Tue Mar 31 22:58:46 2015 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E075B456 for ; Tue, 31 Mar 2015 22:58:45 +0000 (UTC) Received: from mail-ig0-x232.google.com (mail-ig0-x232.google.com [IPv6:2607:f8b0:4001:c05::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A40026B0 for ; Tue, 31 Mar 2015 22:58:45 +0000 (UTC) Received: by igbud6 with SMTP id ud6so32928125igb.1 for ; Tue, 31 Mar 2015 15:58:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dataix.net; s=rsa; h=subject:mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=cgiXJWopmhiOaaQEJakWW/Zm7Er77KipXNSk+ITj1EQ=; b=F+qC051OdUXNraLBYLSWX0P74Y0Cn3E0zfU3mFN6EWrQ2x3yD/vJR119VoBl0ZPG89 ZWYTmlMBJXGqvm9Wq+cJN2kCR1B89Ytp8NqpnjbU2NB7253FGrwGIEUoAr1zSiD4wuit A0W5f9yEkc7K2ThAB3O2+RdXmRx2tt8CH+mf8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:mime-version:content-type:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=cgiXJWopmhiOaaQEJakWW/Zm7Er77KipXNSk+ITj1EQ=; b=lJM+G5bgAV88e8VFyHg1RjXY9noECk9uMzGg+IUEjMVRzyNUzyAn9mggk/XeO/PmM2 s5qgRVFlRmtO6Kn0HfKyXRQFtO41GxY7WYp497Ti8Ri7oigIWKPak7VBJLkm4A+4FxfN G69FDn3+Br9hhWzLbbqltcew8o6523WjU9IHU0WqRacZxQXLFSjOsjJITED8XszJYMK4 XKVCcn3GAHPgcf+XSNRZA4H8ElbvpvJXstc5zy8niiPofIHQRMjoiXTdv+vJJpznhvcM Tt0B20JCnHLCyG/rvudD0nkVC/I3a19YRGWkKSb8lxO8ZFDn2bDINRAOqvKRYeLPFUuO tXlA== X-Gm-Message-State: ALoCoQkyGK9yB3LT93lwO5/RMNVPCEII7KLp/TFqJhDA22ADo7VapdLC97lYD5yvwwePM9L8hsst X-Received: by 10.107.47.26 with SMTP id j26mr59017956ioo.36.1427842724372; Tue, 31 Mar 2015 15:58:44 -0700 (PDT) Received: from sentient.dataix.local (107-133-113-194.lightspeed.milwwi.sbcglobal.net. [107.133.113.194]) by mx.google.com with ESMTPSA id q191sm26010ioe.39.2015.03.31.15.58.43 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 31 Mar 2015 15:58:43 -0700 (PDT) Subject: Re: tcpdump of pflog to show pid Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\)) Content-Type: text/plain; charset="utf8"; X-Pgp-Agent: GPGMail 2.5b6 From: Jason Hellenthal In-Reply-To: <86a8ysvous.fsf@gly.ftfl.ca> Date: Tue, 31 Mar 2015 17:58:41 -0500 Content-Transfer-Encoding: 8bit Message-Id: References: <86a8ysvous.fsf@gly.ftfl.ca> To: Joseph Mingrone X-Mailer: Apple Mail (2.2070.6) Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 Mar 2015 22:58:46 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Run tcpdump -vvve -i pflog0 ??? on a FreeBSD machine ? Should yield your answer. This isn’t necessarily something to do with tcpdump(8) than it is for the inclusion of pf(4) into the FreeBSD kernel. Specific versions of tcpdump(8) and configured options might yield different results.. try base and ports. On Mar 31, 2015, at 16:28, Joseph Mingrone wrote: Hi, On OpenBSD, a tcpdump of the pflog can show the pid for locally generated traffic. PFLOG(4) sugggests FreeBSD's pflog also records this information. Is that the case? Can FreeBSD's tcpdump show this information? I see a similar question from 2008, but no response. https://lists.freebsd.org/pipermail/freebsd-pf/2008-April/004307.html Joseph - -- Jason Hellenthal Mobile: +1 (616) 953-0176 jhellenthal@DataIX.net JJH48-ARIN -----BEGIN PGP SIGNATURE----- iQEcBAEBCAAGBQJVGyahAAoJEDLu+wRc4KcIctIIAJbKj3HSFOk4MZdfYMDBpFad cShOti2xIRK728w7SHzevoGx7PvBHcl+8MjqV47NwX30FF7GoWjBQw/Hm0M6TqCP 2FaNuBHWMGRptgGuaNjQ0MMX39Vp2lclNu9anLvU3WlIxQz3gijEQonIeQQie+es TM0u/7YCtY9/YouW4KzBXAEj8TCnfRb+J9uM1Eh7udB6IMM8UFR6fSBLh3u/6Wrn A7Ni2qWNAbmH/jPWx/MPO/PdkwOUwJLIbYKn6mCscBQxTWx3ile0Jiqtom01htag WKl2AkGCZAPhP8cbFFstmKkzKRzkYiPAJiJ4GTNiu6WA4GfLEoSOkxDU8d5BaKM= =rs+o -----END PGP SIGNATURE----- From owner-freebsd-pf@FreeBSD.ORG Tue Mar 31 23:31:05 2015 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6470CCE3 for ; Tue, 31 Mar 2015 23:31:05 +0000 (UTC) Received: from plane.gmane.org (plane.gmane.org [80.91.229.3]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 1EF76A71 for ; Tue, 31 Mar 2015 23:31:04 +0000 (UTC) Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1Yd5cZ-0001mE-Vy for freebsd-pf@freebsd.org; Wed, 01 Apr 2015 01:31:00 +0200 Received: from gly.ftfl.ca ([129.173.34.203]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Wed, 01 Apr 2015 01:30:59 +0200 Received: from jrm by gly.ftfl.ca with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Wed, 01 Apr 2015 01:30:59 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-pf@freebsd.org From: Joseph Mingrone Subject: Re: tcpdump of pflog to show pid Date: Tue, 31 Mar 2015 20:30:00 -0300 Lines: 37 Message-ID: <86ego4u4nb.fsf@gly.ftfl.ca> References: <86a8ysvous.fsf@gly.ftfl.ca> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha1; protocol="application/pgp-signature" X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: gly.ftfl.ca User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.4 (berkeley-unix) Cancel-Lock: sha1:hH2VKrwBh2VvT8DkRO09rq7ei6Q= X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 Mar 2015 23:31:05 -0000 --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Jason Hellenthal writes: > Run tcpdump -vvve -i pflog0 ??? on a FreeBSD machine ? > Should yield your answer. This isn=E2=80=99t necessarily something to do = with > tcpdump(8) than it is for the inclusion of pf(4) into the FreeBSD > kernel. Specific versions of tcpdump(8) and configured options might > yield different results.. try base and ports. I had tried that, but not with tcpdump from ports. Unfortunately grepping for pid only returns lots of "baiduspider". --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJVGy35AAoJEDakDIOw1u+eVzUP/38RWxWuJ+5BgcWs4dtgRMVd uget7tfH99wVfpMCPDCP06v4w4SyqlLdnzjqPSI/+b5hnuZfMhr/EX7RoNf/bINc oQgFUdm+Uwb00GBr9xRvhfneGhnWUV5r6SmfBNXmmEJjMkFui2gC1s4DnRg4sdhX A4nlVmRmcTuhFtbkxXPmQejOsbU66jZDRKB1ruKBex0T2ZKDW1FG70CHU01Tf3a4 BbmOHZmEucdQWIobQ4AWMKS9b/BzWzL7mh5X/5T0PsUFxPITz2anMzf/fHS7np5Q cF0Yftmrrgc4wMncL3ZwMt56EisEcqizobYrUOuVMIOJzB3pFcIKwtqpAcB6MPsK iUR7j52nFpMpBWWtGcvC5WByjdctu5HmWM9oAC1/H55lhn3OCkCjMCFFGvcRMXH6 zJSQ6u5PhwoLXjko+Bb4ekIlNa/CjiQKcl7COW+hTZoSJcajkjaKOv9Hz5j+Gw7t eyWRdHRW1RyX0dEe8Ukyvk+sHLwLKJEJ6n4w0sbzkslzPSEEZyyE8kQWLPY300jV M0knEwORHw+ReNDlkbl3dMaMU81EbKY+FqSZI9DINrk1fAapUbavKdVtuvEPA1zH 0H0iUwELx/eo1bHK+1Wdp95rIyxO7xty8uBY8ZocJCpK+e+R1ZgbDPofXDiJYjYx c0mK8ZkIvwWPTWe4uLjT =UdMZ -----END PGP SIGNATURE----- --=-=-=-- From owner-freebsd-pf@FreeBSD.ORG Wed Apr 1 01:24:17 2015 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 9C529689 for ; Wed, 1 Apr 2015 01:24:17 +0000 (UTC) Received: from phabric-backend.isc.freebsd.org (phabric-backend.isc.freebsd.org [IPv6:2001:4f8:3:ffe0:406a:0:50:2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 790378DD for ; Wed, 1 Apr 2015 01:24:17 +0000 (UTC) Received: from phabric-backend.isc.freebsd.org (phabric-backend.isc.freebsd.org [127.0.1.5]) by phabric-backend.isc.freebsd.org (8.14.9/8.14.9) with ESMTP id t311OHgf002316 for ; Wed, 1 Apr 2015 01:24:17 GMT (envelope-from root@phabric-backend.isc.freebsd.org) Received: (from root@localhost) by phabric-backend.isc.freebsd.org (8.14.9/8.14.9/Submit) id t311OHAO002315; Wed, 1 Apr 2015 01:24:17 GMT (envelope-from root) Date: Wed, 1 Apr 2015 01:24:17 +0000 To: freebsd-pf@freebsd.org From: "nvass-gmx.com (Nikos Vassiliadis)" Subject: [Differential] [Commented On] D1944: PF and VIMAGE fixes Message-ID: X-Priority: 3 Thread-Topic: D1944: PF and VIMAGE fixes X-Herald-Rules: none X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-To: X-Phabricator-Cc: X-Phabricator-Cc: X-Phabricator-Cc: In-Reply-To: References: Thread-Index: NDc2NzM0MzY4OTdiYThiNTU1MjY2ZDZmMTJiIFUbSME= X-Phabricator-Sent-This-Message: Yes X-Mail-Transport-Agent: MetaMTA X-Auto-Response-Suppress: All X-Phabricator-Mail-Tags: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="utf-8" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Apr 2015 01:24:17 -0000 nvass-gmx.com added a comment. >>! In D1944#11, @kristof wrote: > Don't we still need to do all of this somewhere? >>! In D1944#11, @kristof wrote: > Don't we still need to do all of this somewhere? INLINE COMMENTS sys/netpfil/pf/pf_ioctl.c:325 pf_unload is called before pf_vnet_unit, this is why we do very little things in pf_unload. We need everything until the last vnet is destroyed. sys/netpfil/pf/pf_ioctl.c:3725 The patch includes per-VNET initialization, so this is not need anymore. pf_vnet_init() handles all per-VNET initialization, including DEFAULT_VNET. REVISION DETAIL https://reviews.freebsd.org/D1944 To: nvass-gmx.com, gnn, bz, zec, trociny, glebius, rodrigc, kristof Cc: freebsd-virtualization, freebsd-pf, freebsd-net From owner-freebsd-pf@FreeBSD.ORG Sat Apr 4 18:46:57 2015 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 44A4B8EA for ; Sat, 4 Apr 2015 18:46:57 +0000 (UTC) Received: from mail.familie-keil.de (mail.familie-keil.de [5.9.24.112]) by mx1.freebsd.org (Postfix) with ESMTP id DDBFEB81 for ; Sat, 4 Apr 2015 18:46:56 +0000 (UTC) Received: from familie-keil.de (unknown [10.100.0.1]) by mail.familie-keil.de (Postfix) with ESMTP id D4E85C108 for ; Sat, 4 Apr 2015 20:37:15 +0200 (CEST) MIME-Version: 1.0 Date: Sat, 04 Apr 2015 20:37:15 +0200 From: michael@familie-keil.de To: freebsd-pf@freebsd.org Subject: Freebsd jail block out in lo1 while connecting back on =?UTF-8?Q?ext=5Fif?= Message-ID: X-Sender: michael@familie-keil.de User-Agent: Roundcube Webmail/1.1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Apr 2015 18:46:57 -0000 Hi, based on following scenario im running in a block out on lo1 and don't understand why. Scenario Freebd 10.1 $ext_if with public und ipv4. a.b.c.d 2 jails configured, mailjail & webjail which are working flawlessly... Both are serving, common mail and web services. Honestly, I send this mail using theese jails. rc.conf cloned_interfaces="${cloned_interfaces} lo1" ifconfig_lo1="inet 10.100.0.1/24" ifconfig_lo1_alias0="inet 10.100.0.2/24" jail_sysvipc_allow="YES" jail_webjail_parameters="allow.raw_sockets=1 allow.sysvipc=1" jail_mailjail_parameters="allow.raw_sockets=1 allow.sysvipc=1" pf.conf: (I know it's a bit too open for now. That's because I want to track down a issue. ext_if = "re0" ext_tcp_out = "{ http, https, ftp, ssh, domain }" ext_udp_out = "{ domain, ntp }" jail_if = "lo1" jail_net = "10.100.0.0/24" jail_web_adr = "10.100.0.1" jail_web_ports = "{ http, https }" jail_mail_adr = "10.100.0.2" jail_mail_ports = "{ smtp, imap, auth, smtps, pop3s, pop3, imaps, submission } " icmp_types = "echoreq" table persist table persist set skip on lo0 set block-policy drop scrub in all nat log on $ext_if from $jail_net to any -> ($ext_if) rdr pass log on $ext_if proto tcp from any to ($ext_if) port $jail_web_ports -> $jail_web_adr rdr pass log on $ext_if proto tcp from any to ($ext_if) port $jail_mail_ports -> $jail_mail_adr antispoof for $ext_if block log all block in quick log from block in quick log from block in quick log from urpf-failed block in quick log on $ext_if from no-route # desperate times call for desperate meassures ..... # begin pass quick on $jail_if pass out quick on $ext_if # end pass on $jail_web_adr proto tcp from any to any port $jail_web_ports pass on $jail_mail_adr proto tcp from any to any port $jail_mail_ports pass on $jail_if from $jail_web_adr to $jail_mail_adr pass on $jail_if from $jail_mail_adr to $jail_web_adr pass out on $ext_if proto tcp from any to any port $ext_tcp_out pass out on $ext_if proto udp from any to any port $ext_udp_out pass in on $ext_if inet proto tcp from any port 67:68 to any port 67:68 pass in on $ext_if inet proto udp from any port 67:68 to any port 67:68 pass in on $ext_if proto udp from any to $ext_if port 33433 >< 33626 pass in on $ext_if proto tcp from any to any port ssh pass on $ext_if inet proto icmp all icmp-type $icmp_types keep state pass on $ext_if inet6 proto icmp6 all icmp6-type echoreq pass on $ext_if inet6 proto icmp6 all icmp6-type {neighbradv, neighbrsol} pass on $ext_if inet6 proto icmp6 all icmp6-type routersol So what's is wrong for me? If I try to connect from 10.100.0.1 (which actually is my webserver) to the external IP of my webserver, it's blocked rule 3..16777216/0(match): block out on lo1: a.b.c.d.80 > 10.100.0.1.58248: Flags [R.], seq 0, ack 2602401153, win 0, length 0 a.b.c.d is my public ip I guess I might miss some rdr rules on lo1, too. But I totally don't understand why there is a block in lo1. Frankly, after reading hours and hours of documentation I understand nothing at all. Sorry, I don't want to bother any of you, but I'd really apprechiate a hint. My question is: Why is there a block out on lo1, when there's a pass on lo1 rule? Thanks! Cheers Michael