On Wed, Jan 02, 2019 at 07:09:54PM +0100, Philipp Buehler wrote: > 'pfctl -vvss': > all tcp 10.45.30.7:993 (public-nat:993) <- remote-ip:4690 > ESTABLISHED:ESTABLISHED > [1683650613 + 66296] wscale 7 [3702552199 + 16768] wscale 2 > age 04:32:22, expires in 00:09:25, 745:737 pkts, 55579:87226 bytes, > anchor 11, rule 0, source-track Anchor 11 is the twelfth rule in your main ruleset (the anchor rule), in which the first rule established this state.
> id: 5b5139707ff0259a creatorid: cfe3cb20 > > Now, who is 'anchor 11'? By no means 'relayctl show redirects' or 'pfctl > -vsA' or "pfctl -a 'relayd/*' -vvsr" > would give me a "numbered" clue. The anchors are ascii/literally named - no > number like on the > rules in 'pfctl -vvsr'. `pfctl -vv -s rules -R 11' shows this very rule, `pfctl -vv -s states -R 11' will show all states established by this rule if any. > In the current case I've only one relayd-redirection with port 993, so I can > guestimate the anchor. > > Am I overlooking a pfctl/relayctl option or is '11' internal only? Provide your ruleset so we can look at actual rules without guessing in case your problem persists, `pfctl -a\* -s rules' prints them including anchors.
