From owner-freebsd-pf@FreeBSD.ORG Tue Jul 1 12:48:09 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id CC8E6993 for ; Tue, 1 Jul 2014 12:48:09 +0000 (UTC) Received: from mail1.bemta5.messagelabs.com (mail1.bemta5.messagelabs.com [195.245.231.149]) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "mail1.bemta5.messagelabs.com", Issuer "VeriSign Class 3 International Server CA - G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 62B1B2CE9 for ; Tue, 1 Jul 2014 12:48:08 +0000 (UTC) Received: from [85.158.139.35:37147] by server-13.bemta-5.messagelabs.com id 59/CA-02995-C7CA2B35; Tue, 01 Jul 2014 12:41:32 +0000 X-Env-Sender: Aleksej.Spenst@harman.com X-Msg-Ref: server-3.tower-179.messagelabs.com!1404218477!35924230!3 X-Originating-IP: [194.121.90.173] X-StarScan-Received: X-StarScan-Version: 6.11.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 1880 invoked from network); 1 Jul 2014 12:41:32 -0000 Received: from unassigned (HELO HIKAWSEX02.ad.harman.com) (194.121.90.173) by server-3.tower-179.messagelabs.com with AES128-SHA encrypted SMTP; 1 Jul 2014 12:41:32 -0000 Received: from HIKAWSEX01.ad.harman.com ([fe80::28ec:7810:cfab:2739]) by HIKAWSEX02.ad.harman.com ([172.16.1.216]) with mapi; Tue, 1 Jul 2014 14:40:48 +0200 From: "Spenst, Aleksej" To: "freebsd-pf@freebsd.org" Date: Tue, 1 Jul 2014 14:40:47 +0200 Subject: "keep state" does not work Thread-Topic: "keep state" does not work Thread-Index: Ac+VKa7kIUsIpNGnTnuAyQkwOLgdsg== Message-ID: <6851EFD94261DC4E81707E7F29930840B1A039E6@HIKAWSEX01.ad.harman.com> Accept-Language: de-DE, en-US Content-Language: de-DE X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: de-DE, en-US MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.18 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Jul 2014 12:48:10 -0000 Hi All, I have a problem that when I use the rules with "keep state" my use case do= es not work. When I use two rules "pass out" and "pass in" (instead of one "pass out" ru= le with keep state) then everything works. These rules work fine: pass out quick on wfd0 proto tcp from (self) to 172.16.222/24 port 7236 pass in quick on wfd0 proto tcp from 172.16.222/24 port 7236 to (self) Now, instead of these two rules I write the following rule with "keep state= " and it does not work: pass out quick on wfd0 proto tcp from (self) to 172.16.222/24 port 7236 kee= p state The strange thing is that in this case I don't see any blocked packets in l= ogs! I also see that the state "self -> 172.16.222/24 port 7236" always exi= sts. Does anyone have experience that "keep state" does not work as expected for= some reason? Thanks a lot! Aleksej.