From owner-freebsd-pf@FreeBSD.ORG Tue Jun 27 10:37:10 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2C49C16A405 for ; Tue, 27 Jun 2006 10:37:10 +0000 (UTC) (envelope-from siseci@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.190]) by mx1.FreeBSD.org (Postfix) with ESMTP id 350F043D67 for ; Tue, 27 Jun 2006 10:37:02 +0000 (GMT) (envelope-from siseci@gmail.com) Received: by nf-out-0910.google.com with SMTP id c29so1038375nfb for ; Tue, 27 Jun 2006 03:37:01 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:user-agent:mime-version:to:subject:content-type:content-transfer-encoding; b=pYXv40RaO1wML1PUNKkScojrHh4RsYTFDcO4pl8RamP4UI0Yz6GQSL7QZs25S2a5Nz9UFrW5jyCpWtkq26B07WUH174qfEOvuj+B5fKb2bVPLkkOCv8E6bXKUHBMl9LA9qDmZZnRF9YudSGBF1fEpJus8Kf6fof6cPiQCpk33+g= Received: by 10.49.78.10 with SMTP id f10mr5475700nfl; Tue, 27 Jun 2006 03:37:01 -0700 (PDT) Received: from ?192.168.4.36? ( [193.140.74.2]) by mx.gmail.com with ESMTP id x27sm5269332nfb.2006.06.27.03.37.01; Tue, 27 Jun 2006 03:37:01 -0700 (PDT) Message-ID: <44A10A44.1070602@gmail.com> Date: Tue, 27 Jun 2006 13:36:52 +0300 From: "N. Ersen SISECI" User-Agent: Mozilla Thunderbird 1.5.0.4 (Windows/20060516) MIME-Version: 1.0 To: freebsd-pf@FreeBSD.org Content-Type: text/plain; charset=ISO-8859-9 Content-Transfer-Encoding: 7bit Cc: Subject: Keep State is not working on 6.1-RELAESE-p1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jun 2006 10:37:10 -0000 Hi, There seems to be a problem with the "keep state" handling with my pf on FreeBSD 6.1-RELEASE-p1. My first rule is pass in all with keep state. But the packets do not seem to be able pass out from the other interface. If i change the last block's to "pass" everything works fine. It seems that the state table is always on if-bound'ed??? Is there a solution for this problem, or do I miss a configuration with kernel, pf, pf.conf etc... ??? or is this a bug :) Please help... Here is my rules, set state-policy floating pass in log quick proto tcp from any to any keep state block in log quick all block out log quick all These are pf log lines; 2006-06-27 15:22:27.188969 rule 0/0(match): pass in on bge0: 192.168.9.99.60248 > 10.0.0.2.22: S, cksum 0xc573 2006-06-27 15:22:27.188986 rule 2/0(match): block out on em0: 192.168.9.99.60248 > 10.0.0.2.22: S, cksum 0xc573 N. Ersen SISECI http://www.enderunix.org EnderUNIX SDT @ Turkey