On Sun, May 18, 2008 at 3:33 AM, Johan Ström <[EMAIL PROTECTED]> wrote: > On May 18, 2008, at 9:19 AM, Matthew Seaman wrote: > >> Johan Ström wrote: >> >>> drop all traffic)? A check with pfctl -vsr reveals that the actual rule >>> inserted is "pass on lo0 inet from 123.123.123.123 to 123.123.123.123 flags >>> S/SA keep state". Where did that "keep state" come from? >> >> 'flags S/SA keep state' is the default now for tcp filter rules -- that >> was new in 7.0 reflecting the upstream changes made between the 4.0 and >> 4.1 >> releases of OpenBSD. If you want a stateless rule, append 'no state'. >> >> http://www.openbsd.org/faq/pf/filter.html#state > > Thanks! I was actually looking around in the pf.conf manpage but failed to > find it yesterday, but looking closer today I now saw it. > Applied the no state (and quick) to the rule, and now no state is created. > And the problem I had in the first place seems to have been resolved too > now, even though it didn't look like a state problem.. (started to deny new > connections much earlier than the states was full, altough maybee i wasnt > looking for updates fast enough or something). >
I'd be willing to bet it's because you're reusing the source port on a new connection before the old state expires. You'll know if you check the state-mismatch counter. Anyway, glad you found a resolution. -Kian
_______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
