Hi,
I have a new setup with a 4.3 PF firewall that includes CARP addresses,
trunked VLANs and HA. We've migrated from a different architecture, so
the rules have never been tested on a different version before. I've
tried to setup the first unit with my ruleset, but all forwarded packets
seem to have problems with state. The packets come through, a state
table entry is created, they reach the system, but when they come back,
they are blocked by PF.
I have keep state entries for all of my rules, so I don't know where the
problem could be. The ruleset is available here:
http://www.sjohnson.info/other/pf.conf
The only thing I've removed from the ruleset are aliases and table
definitions.
When I check for specific entries in the state table, I see them as
"CLOSED:SYN_SENT". If I disable PF, the packets make it through
properly, so it should not be any routing or IP forwarding issue. I also
tried conservative instead of aggressive optimization, but it didn't
change anything, as I expected.
Here are the sysctl settings that I hace changed:
net.inet.ip.forwarding=1
net.inet.tcp.recvspace=65536
net.inet.tcp.sendspace=65536
net.inet.carp.preempt=1
Any clue as to what could be the problem?
Thanks a lot,
Steve Johnson
