From owner-freebsd-pf@FreeBSD.ORG Thu Apr 2 20:28:34 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5BAD61065695 for ; Thu, 2 Apr 2009 20:28:34 +0000 (UTC) (envelope-from artis.caune@gmail.com) Received: from mail-bw0-f164.google.com (mail-bw0-f164.google.com [209.85.218.164]) by mx1.freebsd.org (Postfix) with ESMTP id B2FAE8FC18 for ; Thu, 2 Apr 2009 20:28:33 +0000 (UTC) (envelope-from artis.caune@gmail.com) Received: by bwz8 with SMTP id 8so676141bwz.43 for ; Thu, 02 Apr 2009 13:28:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=/Lb1POso21+Irh3jKo5ytD90bSkp8FUdCsmbHMmTqP0=; b=lPCOt5rHlkR2HkCuOYp8pyfR0hDSJCe5AilpkftpRaNh/SohncejIdPgcVw9JfKEnv PWC3phf0Ap3GHKiPPySv4zQ/6073IoFUkVKLJ90FAzod+S14FfXxqmnXdud+NnNYYESL 85ed/wD5/oFvMrbG5h8R83hL9ye/Bo02wXGK4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=PC+Jq1X+sCngiHAB57uGRrQdiPdtXSj05QzeVcq5DRKCRI3NwGhpEVQf3CyGcINBxk z3MpSp0Ikw1amL5RHdzfQRCyfy58vZT/LxKRfsx/boa+ydcFmxyEXgw/w3RkxqDdlFWM phgnyFMklW9cvZ9eelGWmj8L+nfnqBigBOK/E= MIME-Version: 1.0 Received: by 10.103.240.5 with SMTP id s5mr187559mur.133.1238704112695; Thu, 02 Apr 2009 13:28:32 -0700 (PDT) In-Reply-To: <49C9F27F.3010505@sebster.com> References: <49C9F27F.3010505@sebster.com> Date: Thu, 2 Apr 2009 23:28:32 +0300 Message-ID: <9e20d71e0904021328u5e871322k1523c2ce0bf9fdd1@mail.gmail.com> From: Artis Caune To: Sebastiaan van Erk Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: state mismatch/connection issues X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Apr 2009 20:28:34 -0000 2009/3/25 Sebastiaan van Erk : > The problem I'm having is that I get intermittent connection > refused/operation not permitted to another machine on the local network. > When I do pfctl -s info I see *huge* numbers of state mismatches: > > The firewall rules are trivially simple, $ext_if has 2 ips and $int_if has > one: > > interfaces = "{" $ext_if "," $int_if "}" > > scrub in all > set skip on lo0 > antispoof for $interfaces inet > block out log quick on $ext_if from !$ext_ip1 to any > block in quick on $ext_if from any to 255.255.255.255 > block log all > > pass in quick inet proto icmp all icmp-type $icmp_types > > pass in quick on $int_if from $int_net to any > pass out quick on $int_if from any to $int_net > > pass out on $ext_if proto tcp all > pass out on $ext_if proto { udp, icmp } all > pass in on $ext_if proto tcp from any to $ext_ip1 port $tcp_services1 > pass in on $ext_if proto tcp from any to $ext_ip2 port $tcp_services2 try without "block out log quick on $ext_if from !$ext_ip1 to any" rule. btw, is your firewall forwarding traffic or doing nat? Can you show pfctl -sr and ifconfig output? -- regards, Artis Caune <----. CCNA | BSDA <----|==================== <----' didii FreeBSD