pf filtering openvpn problem

Maciej Milewski milu at dat.pl
Mon Aug 2 13:54:47 UTC 2010


Dnia poniedziałek 02 sierpień 2010 o 11:16:37 Daniel Hartmeier napisał(a):
> The connection is from 10.10.0.8 to 10.0.10.2:22, it comes in
> on tun0, matching
> 
> > pass log on tun0 inet proto tcp from 10.10.0.0/24 to 10.0.10.2 flags S/SA
> > keep
> 
> and then passes out on sk0, but there is no matching rule.
> 
> Since your default block rule
> 
> > block drop in log all
> 
> only applies to incoming (not outgoing) packets, it doesn't match,
> either. So the SYN packet passes by the implicit default pass rule,
> which doesn't keep state.
> 
> That's why the returning SYN+ACK is blocked in on sk0, there is no
> state.
> 
> Try adding
> 
> pass log on sk0 inet proto tcp from 10.10.0.0/24 to 10.0.10.2 flags S/SA
> keep
> 
> and maybe remove the 'in' from the default block rule.
> 
> HTH,
> Daniel
Indeed it was it. This solution worked! Thanks Daniel.

Regards,
Maciej Milewski


More information about the freebsd-pf mailing list