On Mon, Mar 07, 2011 at 01:36:31PM +0100, Henrik Engmark wrote:
> I tried that, with no success.
> Also compiled 5.51 from source with the same result.
> I get this:
>
> sendto in send_ip_packet_sd: sendto(4, packet, 60, 0, ya.da.ya.da,
> 16) => No route to host
> Offending packet: TCP ya.da.ya.da:59268 > ya.da.ya.da:80 ttl=55
> id=27672 iplen=60 seq=3496514045 win=128 <wscale 10,nop,mss
> 265,timestamp 4294967295 0,sackOK>
>
> I went on to clean up like nobodys business, ie
>
> # pfctl -s rules
> pass all no state
> pass all user = 0 no state (i know)
>
> Still doesn't work.
Try playing with allow-opts (at your own risk, of course).
-Otto
>
> Just to be sure I tried disabling pf, and ofcourse that does the trick.
> But as I said, thats not an option for me.
>
> Any more suggestions? Is pf configurable on a lower level outside
> the ruleset?
>
> >>Is there a way, good or bad, to relax pf enough to let nmap do its
> >>OS detection?
> >>I am on 4.8.
> >
> >You can always disable pf (pfctl -d). I'd also expect any sensible
> >configuration without "scrub" or (implicit) "keep state" to work,
> >but I
> >didn't check that.
> >
> >E.g. you could try
> >
> >set skip on lo0
> >pass
> >block in on ! lo0 proto tcp to port 6000:6010
> >pass user root no state
> >pass icmp no state
> >
> > Joachim
