From owner-freebsd-stable@FreeBSD.ORG Sun May 18 10:33:58 2008 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 27502106564A; Sun, 18 May 2008 10:33:58 +0000 (UTC) (envelope-from johan@stromnet.se) Received: from core.stromnet.se (core.stromnet.se [83.218.84.131]) by mx1.freebsd.org (Postfix) with ESMTP id CF7038FC1E; Sun, 18 May 2008 10:33:57 +0000 (UTC) (envelope-from johan@stromnet.se) Received: from localhost (core.stromnet.se [83.218.84.131]) by core.stromnet.se (Postfix) with ESMTP id CA17FF5B078; Sun, 18 May 2008 12:33:55 +0200 (CEST) X-Virus-Scanned: amavisd-new at stromnet.se X-Spam-Flag: NO X-Spam-Score: 0.176 X-Spam-Level: X-Spam-Status: No, score=0.176 tagged_above=0 required=6.2 tests=[AWL=1.982, BAYES_00=-2.599, RDNS_DYNAMIC=0.1, SPF_FAIL=0.693] Received: from core.stromnet.se ([83.218.84.131]) by localhost (core.stromnet.se [83.218.84.131]) (amavisd-new, port 10024) with ESMTP id lvorf6evv2oD; Sun, 18 May 2008 12:33:52 +0200 (CEST) Received: from johan-mp.stromnet.se (90-224-172-102-no129.tbcn.telia.com [90.224.172.102]) by core.stromnet.se (Postfix) with ESMTP id 48A7AF5AFF5; Sun, 18 May 2008 12:33:52 +0200 (CEST) Message-Id: From: =?ISO-8859-1?Q?Johan_Str=F6m?= To: Matthew Seaman In-Reply-To: <482FD877.6050707@infracaninophile.co.uk> Content-Type: text/plain; charset=ISO-8859-1; format=flowed; delsp=yes Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Apple Message framework v919.2) Date: Sun, 18 May 2008 12:33:51 +0200 References: <678A03F5-5E8A-4CF6-90DF-AA9A4F30FBE1@stromnet.se> <1211037564.6326.27.camel@porksoda> <679DB462-75D6-45CC-949C-1BE8E12C22CD@stromnet.se> <482FD877.6050707@infracaninophile.co.uk> X-Mailer: Apple Mail (2.919.2) Cc: Alex Trull , freebsd-pf@freebsd.org, freebsd-stable , freebsd-net@freebsd.org Subject: Re: connect(): Operation not permitted X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 May 2008 10:33:58 -0000 On May 18, 2008, at 9:19 AM, Matthew Seaman wrote: > Johan Str=F6m wrote: > >> drop all traffic)? A check with pfctl -vsr reveals that the actual =20= >> rule inserted is "pass on lo0 inet from 123.123.123.123 to =20 >> 123.123.123.123 flags S/SA keep state". Where did that "keep state" =20= >> come from? > > 'flags S/SA keep state' is the default now for tcp filter rules -- =20 > that > was new in 7.0 reflecting the upstream changes made between the 4.0 =20= > and 4.1 > releases of OpenBSD. If you want a stateless rule, append 'no state'. > > http://www.openbsd.org/faq/pf/filter.html#state Thanks! I was actually looking around in the pf.conf manpage but =20 failed to find it yesterday, but looking closer today I now saw it. Applied the no state (and quick) to the rule, and now no state is =20 created. And the problem I had in the first place seems to have been resolved =20 too now, even though it didn't look like a state problem.. (started to =20= deny new connections much earlier than the states was full, altough =20 maybee i wasnt looking for updates fast enough or something). Anyways, thanks to all helping me out, and of course thanks to =20 everybody involved in FreeBSD/pf and all for great products! Cannot be =20= said enough times ;)=