On 2007/07/20 10:46, Gordon Ross wrote:
> Going off on a tangent here: Why is it that I've just picked this up and
> no-one else has ?
I think because you had no rules (pass or block) affecting outgoing
packets - it's quite common to start things off with just 'block'
(without specifying the direction) or 'block log' which would give
more clues about what's going wrong when you tcpdump -netti pflog0.
It's possibly also connected with the change to defaulting to
'flags S/SA' (done to avoid sequence number problems with TCP
window-scaling without requiring people to change rulesets) -
though I didn't work through your rules to check that.
> I haven't tried your diff - let me know if you want me to.
It just changes the implicit rule to keep state so shouldn't
affect things for you now you've added specific rules; I was more
throwing it out for discussion. Actually looking at it again,
flags probably need to be addressed too, maybe with
pf_default_rule.flags = 1; /* SYN */
pf_default_rule.flagset = 18; /* SYN+ACK */
but I'm not so sure about that.
