connect(): Operation not permitted
Johan Ström
johan at stromnet.se
Sun May 18 10:33:58 UTC 2008
On May 18, 2008, at 9:19 AM, Matthew Seaman wrote:
> Johan Ström wrote:
>
>> drop all traffic)? A check with pfctl -vsr reveals that the actual
>> rule inserted is "pass on lo0 inet from 123.123.123.123 to
>> 123.123.123.123 flags S/SA keep state". Where did that "keep state"
>> come from?
>
> 'flags S/SA keep state' is the default now for tcp filter rules --
> that
> was new in 7.0 reflecting the upstream changes made between the 4.0
> and 4.1
> releases of OpenBSD. If you want a stateless rule, append 'no state'.
>
> http://www.openbsd.org/faq/pf/filter.html#state
Thanks! I was actually looking around in the pf.conf manpage but
failed to find it yesterday, but looking closer today I now saw it.
Applied the no state (and quick) to the rule, and now no state is
created.
And the problem I had in the first place seems to have been resolved
too now, even though it didn't look like a state problem.. (started to
deny new connections much earlier than the states was full, altough
maybee i wasnt looking for updates fast enough or something).
Anyways, thanks to all helping me out, and of course thanks to
everybody involved in FreeBSD/pf and all for great products! Cannot be
said enough times ;)
More information about the freebsd-net
mailing list