pf eates syn packet?
frank at pinky.sax.de
Thu Aug 2 15:37:25 UTC 2007
Max Laier <max at love2party.net> wrote on 2 Aug 2007 17:15:
> Can you follow up with the complete pf.conf you are using? The "state
I'll send you the complete file in a personal mail.
> insert failed" error suggests a logic problem in your config (or a missed
> PF_TAG_GENERATED somewhere). It seems that the same packet is run
> through the firewall twice, generating state on the first run, but not
> matching it on the second ... somehow strange.
As I wrote in my 1st message the following statements may produce the problem:
nat inet from !tun2-address to any port = http -> tun2-address
nat on tun0 inet from <intern> to any -> tun0-address
pass out quick on tun0 route-to (tun2 tun2-peer) inet from tun2-address to any keep state
pass out quick on tun2 route-to (tun0 tun0-peer) inet from tun0-address to any keep state
The reason for this setup is, that I want to use policy based routing. The http port ist an easy
to test example. I have 2 DSL/pppoe connections with NAT and tun0 has the default route
assigned. I want
- route some traffic from LAN (NATed) to tun2
- route some traffic from gateway to tun2
May be there is a better solution?
Frank Behrens, Osterwieck, Germany
PGP-key 0x5B7C47ED on public servers available.
More information about the freebsd-pf