packet filter does not keep state

Erik Norgaard norgaard at
Thu Apr 3 14:39:58 UTC 2008

I have investigated further:

The state table adds this entry:

all tcp <-

Which I suppose reflect the fact that the packet is blocked - I 
don't know how to capture the state table after the packet is 
passed on the way in, but before it is blocked on the way out.

Regarding the bad header, it is interesting, that the header is 
fine on the way in! I had "scrub in all" which I changed to "scrub 
all", but no difference.

Have I found a bug? I'm running

FreeBSD 7.0-STABLE #0: Fri Feb 29 19:44:34 CET 2008 - custom 

As for NAT, there should be no problem, NAT is not applied since I 
am connecting between directly connected local networks. I have no 
problem accessing the Internet where NAT is applied btw (packets 
are passed by different rules on the way in, and NAT is applied 
after the out-rules above anyway). Anyway, FYI: This is my NAT 

nat on $srv_if from $wlan_net to !<local_net> -> $srv_if

Regarding the "quick" Vinicius: There is no point in removing that 
rule: First, as you see the pass in rules also have "quick" and 
take effect before as the log shows.

On the out rules: Since I have keep state in the "in" rule a 
state should be created by the in rule it should not be filtered 
by any out rules. Yet this does not happen.

As I mention in the OP I can add a rule for out, but this is not 
how it's supposed to work.

Thanks, Erik

More information about the freebsd-questions mailing list