On 2015-02-26, D'Arcy J.M. Cain <da...@vex.net> wrote: > On Thu, 26 Feb 2015 21:49:15 +0100 > Otto Moerbeek <o...@drijf.net> wrote: >> > What are you looking for specifically? I thought I posted all the >> > relevant rules and outputs. In particular I showed that the >> > problem IP was in the AUTOBLOCK table with "pfctl -tAUTOBLOCK -Ts". >> >> Well, from what you describe it is likely there is a rule creating >> state. It could very well be that one of the rules you left out is the >> culprit. > > OK, here is everything: http://www.vex.net/~darcy/pf.conf
Use pfctl -ss -v to identify the rule number that created state. Use pfctl -sr -R <number> to display how that rule was added to the kernel. Few of us here know what level of PF that NetBSD are using and how it interprets rulesets. Additionally: why don't you want to create state? A state check is very much faster than a rule traversal, that's something you probably want on at least the voip media. Additionally #2: dropping packets often doesn't stop SIP floods. https://jcs.org/notaweblog/2010/04/11/properly_stopping_a_sip_flood/ might be interesting.
