Date: Mon, 2 Aug 2010 15:54:39 +0200 From: Maciej Milewski <milu@dat.pl> To: Daniel Hartmeier <daniel@benzedrine.cx> Cc: freebsd-pf@freebsd.org Subject: Re: pf filtering openvpn problem Message-ID: <201008021554.40116.milu@dat.pl> In-Reply-To: <20100802091637.GB16609@insomnia.benzedrine.cx> References: <201008010132.38555.milu@dat.pl> <20100802091637.GB16609@insomnia.benzedrine.cx>
next in thread | previous in thread | raw e-mail | index | archive | help
Dnia poniedzia=B3ek 02 sierpie=F1 2010 o 11:16:37 Daniel Hartmeier napisa= =B3(a): > The connection is from 10.10.0.8 to 10.0.10.2:22, it comes in > on tun0, matching >=20 > > pass log on tun0 inet proto tcp from 10.10.0.0/24 to 10.0.10.2 flags S/= SA > > keep >=20 > and then passes out on sk0, but there is no matching rule. >=20 > Since your default block rule >=20 > > block drop in log all >=20 > only applies to incoming (not outgoing) packets, it doesn't match, > either. So the SYN packet passes by the implicit default pass rule, > which doesn't keep state. >=20 > That's why the returning SYN+ACK is blocked in on sk0, there is no > state. >=20 > Try adding >=20 > pass log on sk0 inet proto tcp from 10.10.0.0/24 to 10.0.10.2 flags S/SA > keep >=20 > and maybe remove the 'in' from the default block rule. >=20 > HTH, > Daniel Indeed it was it. This solution worked! Thanks Daniel. Regards, Maciej Milewski
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201008021554.40116.milu>