outgoing LAN traffic always in "keep state"

Travis H. solinym at gmail.com
Wed Jun 21 09:46:30 UTC 2006


On 6/19/06, Ronnel P. Maglasang <rmaglasang at infoweapons.com> wrote:
> one note, i observe that reply packets  can match a rule(s) on the
> internal interface.

When it passes through the firewall and out towards the LAN, right?

> >     #normalize outgoing packets IP ID field
> >     scrub log on vr0 all random-id fragment reassemble

Aside: doesn't scrubbing create a state?

This doesn't look like a dump from pfctl, since it has macros in it.
Can you double-check the active ruleset and make sure it is equivalent
to what you have in your config file?
pfctl -s rules

I notice that your list macros $lan and $wan have just one element in
them.  This is illegal syntax on OpenBSD, so maybe your ruleset isn't
loading due to the syntax and hence packets are being evaluated
against an old ruleset, maybe the default.

Another handy thing is to run "pfctl -s rules -v -v" twice, with a
decent delay in between, and see what rules are getting evaluated.

PS:  Please don't top-post.
-- 
"I sometimes have delusions of adequacy" -- Woody Allen
Security "guru" for rent or hire - http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484


More information about the freebsd-pf mailing list