From owner-freebsd-pf@FreeBSD.ORG Mon Aug 2 13:54:47 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 024231065675 for ; Mon, 2 Aug 2010 13:54:47 +0000 (UTC) (envelope-from milu@dat.pl) Received: from jab.dat.pl (dat.pl [80.51.155.34]) by mx1.freebsd.org (Postfix) with ESMTP id B0F1D8FC1F for ; Mon, 2 Aug 2010 13:54:46 +0000 (UTC) Received: from jab.dat.pl (jsrv.dat.pl [127.0.0.1]) by jab.dat.pl (Postfix) with ESMTP id D29B05C71; Mon, 2 Aug 2010 15:54:44 +0200 (CEST) X-Virus-Scanned: amavisd-new at dat.pl Received: from jab.dat.pl ([127.0.0.1]) by jab.dat.pl (jab.dat.pl [127.0.0.1]) (amavisd-new, port 10024) with LMTP id rYQindvgyOSt; Mon, 2 Aug 2010 15:54:41 +0200 (CEST) Received: from snifi.localnet (87-205-153-123.adsl.inetia.pl [87.205.153.123]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by jab.dat.pl (Postfix) with ESMTPSA id 2BCCB5C60; Mon, 2 Aug 2010 15:54:41 +0200 (CEST) From: Maciej Milewski To: Daniel Hartmeier Date: Mon, 2 Aug 2010 15:54:39 +0200 User-Agent: KMail/1.13.5 (Linux/2.6.34-ARCH; KDE/4.4.5; x86_64; ; ) References: <201008010132.38555.milu@dat.pl> <20100802091637.GB16609@insomnia.benzedrine.cx> In-Reply-To: <20100802091637.GB16609@insomnia.benzedrine.cx> MIME-Version: 1.0 Content-Type: Text/Plain; charset="iso-8859-2" Content-Transfer-Encoding: quoted-printable Message-Id: <201008021554.40116.milu@dat.pl> Cc: freebsd-pf@freebsd.org Subject: Re: pf filtering openvpn problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Aug 2010 13:54:47 -0000 Dnia poniedzia=B3ek 02 sierpie=F1 2010 o 11:16:37 Daniel Hartmeier napisa= =B3(a): > The connection is from 10.10.0.8 to 10.0.10.2:22, it comes in > on tun0, matching >=20 > > pass log on tun0 inet proto tcp from 10.10.0.0/24 to 10.0.10.2 flags S/= SA > > keep >=20 > and then passes out on sk0, but there is no matching rule. >=20 > Since your default block rule >=20 > > block drop in log all >=20 > only applies to incoming (not outgoing) packets, it doesn't match, > either. So the SYN packet passes by the implicit default pass rule, > which doesn't keep state. >=20 > That's why the returning SYN+ACK is blocked in on sk0, there is no > state. >=20 > Try adding >=20 > pass log on sk0 inet proto tcp from 10.10.0.0/24 to 10.0.10.2 flags S/SA > keep >=20 > and maybe remove the 'in' from the default block rule. >=20 > HTH, > Daniel Indeed it was it. This solution worked! Thanks Daniel. Regards, Maciej Milewski