From owner-freebsd-pf@FreeBSD.ORG Thu Mar 29 13:16:08 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6A81416A405 for ; Thu, 29 Mar 2007 13:16:08 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id 2DE9913C44C for ; Thu, 29 Mar 2007 13:16:05 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7caa.q.ppp-pool.de [89.53.124.170]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id 621E9128829 for ; Thu, 29 Mar 2007 15:15:59 +0200 (CEST) Received: from [192.168.16.3] (cesar.sz.vwsoft.com [192.168.16.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id 551BE3F9E1; Thu, 29 Mar 2007 15:15:43 +0200 (CEST) Message-ID: <460BBBFC.3080501@vwsoft.com> Date: Thu, 29 Mar 2007 15:15:40 +0200 From: Volker User-Agent: Thunderbird 1.5.0.10 (X11/20070306) MIME-Version: 1.0 To: KES References: <868144293.20070329001333@yandex.ru> In-Reply-To: <868144293.20070329001333@yandex.ru> X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: freebsd-pf@freebsd.org Subject: Re: pf BUG? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Mar 2007 13:16:08 -0000 On 12/23/-58 20:59, KES wrote: > Hello > > I start to use ADSL > My net work has next sturcture: > CPU -iIP---- rl0 -SERVER -tun0--- >>>>> INET > > I have next pf rules > > 1) drop all > 2) pass in quick on tun0 all > 3) pass out quick on tun0 all > 4) pass in on rl0 from $iIp to any > 5) pass out on rl0 from any to $iIp > > Next thing is wrong: > If I ping inet from CPU > > 2) pass in log-all on tun0 all > 3) pass out quick on tun0 all > > tpcdump pflog0 shows nothing > But > 2) pass in on tun0 all > 3) pass out log-all quick on tun0 all > > tpcdump pflog0 shows in and out traffic on tun0 interface!!! > > System was builded from 2007-03-27 sources > architecture is sparc64 This is not a pf bug. I'm wondering why you're using a firewall at all? Your firewall is nothing but just wide open (tm) and effectively useless. Anyway, I really don't understand your problem. Do you really want to have a firewall which does nothing but logging like crazy? BTW, the log-all option does not make sense when not being used in conjunction with stateful inspection. HTH, Volker