Date: Wed, 21 Jun 2006 04:46:27 -0500 From: "Travis H." <solinym@gmail.com> To: "Ronnel P. Maglasang" <rmaglasang@infoweapons.com> Cc: freebsd-pf@freebsd.org Subject: Re: outgoing LAN traffic always in "keep state" Message-ID: <d4f1333a0606210246p414a3792l69482895a80e4737@mail.gmail.com> In-Reply-To: <44968D8C.5010606@infoweapons.com> References: <44960900.4000406@infoweapons.com> <fee88ee40606182233v3b280dbbgfa57a30f311c4ef7@mail.gmail.com> <44963DCA.8030800@infoweapons.com> <fee88ee40606190318m6fc2da77jedd6eb9fd5ae32c7@mail.gmail.com> <44968D8C.5010606@infoweapons.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 6/19/06, Ronnel P. Maglasang <rmaglasang@infoweapons.com> wrote: > one note, i observe that reply packets can match a rule(s) on the > internal interface. When it passes through the firewall and out towards the LAN, right? > > #normalize outgoing packets IP ID field > > scrub log on vr0 all random-id fragment reassemble Aside: doesn't scrubbing create a state? This doesn't look like a dump from pfctl, since it has macros in it. Can you double-check the active ruleset and make sure it is equivalent to what you have in your config file? pfctl -s rules I notice that your list macros $lan and $wan have just one element in them. This is illegal syntax on OpenBSD, so maybe your ruleset isn't loading due to the syntax and hence packets are being evaluated against an old ruleset, maybe the default. Another handy thing is to run "pfctl -s rules -v -v" twice, with a decent delay in between, and see what rules are getting evaluated. PS: Please don't top-post. -- "I sometimes have delusions of adequacy" -- Woody Allen Security "guru" for rent or hire - http://www.lightconsulting.com/~travis/ -><- GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d4f1333a0606210246p414a3792l69482895a80e4737>