pf filtering openvpn problem
Daniel Hartmeier
daniel at benzedrine.cx
Mon Aug 2 09:16:47 UTC 2010
The connection is from 10.10.0.8 to 10.0.10.2:22, it comes in
on tun0, matching
> pass log on tun0 inet proto tcp from 10.10.0.0/24 to 10.0.10.2 flags S/SA keep
and then passes out on sk0, but there is no matching rule.
Since your default block rule
> block drop in log all
only applies to incoming (not outgoing) packets, it doesn't match,
either. So the SYN packet passes by the implicit default pass rule,
which doesn't keep state.
That's why the returning SYN+ACK is blocked in on sk0, there is no
state.
Try adding
pass log on sk0 inet proto tcp from 10.10.0.0/24 to 10.0.10.2 flags S/SA keep
and maybe remove the 'in' from the default block rule.
HTH,
Daniel
More information about the freebsd-pf
mailing list