pf filtering openvpn problem
Maciej Milewski
milu at dat.pl
Mon Aug 2 13:54:47 UTC 2010
Dnia poniedziałek 02 sierpień 2010 o 11:16:37 Daniel Hartmeier napisał(a):
> The connection is from 10.10.0.8 to 10.0.10.2:22, it comes in
> on tun0, matching
>
> > pass log on tun0 inet proto tcp from 10.10.0.0/24 to 10.0.10.2 flags S/SA
> > keep
>
> and then passes out on sk0, but there is no matching rule.
>
> Since your default block rule
>
> > block drop in log all
>
> only applies to incoming (not outgoing) packets, it doesn't match,
> either. So the SYN packet passes by the implicit default pass rule,
> which doesn't keep state.
>
> That's why the returning SYN+ACK is blocked in on sk0, there is no
> state.
>
> Try adding
>
> pass log on sk0 inet proto tcp from 10.10.0.0/24 to 10.0.10.2 flags S/SA
> keep
>
> and maybe remove the 'in' from the default block rule.
>
> HTH,
> Daniel
Indeed it was it. This solution worked! Thanks Daniel.
Regards,
Maciej Milewski
More information about the freebsd-pf
mailing list