From owner-freebsd-pf@FreeBSD.ORG Wed Jun 21 09:46:29 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EB86816A479 for ; Wed, 21 Jun 2006 09:46:29 +0000 (UTC) (envelope-from solinym@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.175]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3EB7D43D48 for ; Wed, 21 Jun 2006 09:46:29 +0000 (GMT) (envelope-from solinym@gmail.com) Received: by ug-out-1314.google.com with SMTP id m3so1746583uge for ; Wed, 21 Jun 2006 02:46:28 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=d+j6OcRADXcr/IZNtO5V1SpE6A4KbvBF1d7XmJa91K86E/leemBU9CiVyzzdY0E6CI7dlNN0mANyPsqpsIZtuRUmQnf2SuCGOM2m4flzVZby3Q4Q22OUWgk2SKUJMc0IC/JQitEbkYAsOFUfxQrqY3mkCwdhi6s4VhCv9shVRqw= Received: by 10.78.67.20 with SMTP id p20mr3263658hua; Wed, 21 Jun 2006 02:46:28 -0700 (PDT) Received: by 10.78.35.18 with HTTP; Wed, 21 Jun 2006 02:46:27 -0700 (PDT) Message-ID: Date: Wed, 21 Jun 2006 04:46:27 -0500 From: "Travis H." To: "Ronnel P. Maglasang" In-Reply-To: <44968D8C.5010606@infoweapons.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <44960900.4000406@infoweapons.com> <44963DCA.8030800@infoweapons.com> <44968D8C.5010606@infoweapons.com> Cc: freebsd-pf@freebsd.org Subject: Re: outgoing LAN traffic always in "keep state" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Jun 2006 09:46:30 -0000 On 6/19/06, Ronnel P. Maglasang wrote: > one note, i observe that reply packets can match a rule(s) on the > internal interface. When it passes through the firewall and out towards the LAN, right? > > #normalize outgoing packets IP ID field > > scrub log on vr0 all random-id fragment reassemble Aside: doesn't scrubbing create a state? This doesn't look like a dump from pfctl, since it has macros in it. Can you double-check the active ruleset and make sure it is equivalent to what you have in your config file? pfctl -s rules I notice that your list macros $lan and $wan have just one element in them. This is illegal syntax on OpenBSD, so maybe your ruleset isn't loading due to the syntax and hence packets are being evaluated against an old ruleset, maybe the default. Another handy thing is to run "pfctl -s rules -v -v" twice, with a decent delay in between, and see what rules are getting evaluated. PS: Please don't top-post. -- "I sometimes have delusions of adequacy" -- Woody Allen Security "guru" for rent or hire - http://www.lightconsulting.com/~travis/ -><- GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484