Dnia poniedziałek 02 sierpień 2010 o 11:16:37 Daniel Hartmeier napisał(a): > The connection is from 10.10.0.8 to 10.0.10.2:22, it comes in > on tun0, matching > > > pass log on tun0 inet proto tcp from 10.10.0.0/24 to 10.0.10.2 flags S/SA > > keep > > and then passes out on sk0, but there is no matching rule. > > Since your default block rule > > > block drop in log all > > only applies to incoming (not outgoing) packets, it doesn't match, > either. So the SYN packet passes by the implicit default pass rule, > which doesn't keep state. > > That's why the returning SYN+ACK is blocked in on sk0, there is no > state. > > Try adding > > pass log on sk0 inet proto tcp from 10.10.0.0/24 to 10.0.10.2 flags S/SA > keep > > and maybe remove the 'in' from the default block rule. > > HTH, > Daniel Indeed it was it. This solution worked! Thanks Daniel.
Regards, Maciej Milewski _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
