OS: OpenBSD 4.4 RELEASE i386 PF is blocking traffic that I want it to pass. I notice this when I run nmap 4.76 (compiled from source). It appears that my packets are being dropped because they don't match the "pass out quick" rule in my pf.conf. I noticed this rule is modified due to the default setting to match on flags S/SA. How do I create a rule to ignore the flags S/SA so that my scans can complete?
# nmap -sS -T5 -sV -p- 2.2.2.2 Starting Nmap 4.76 ( http://nmap.org ) at 2008-11-20 22:47 PST sendto in send_ip_packet: sendto(4, packet, 40, 0, 2.2.2.2, 16) => No route to host Offending packet: TCP 1.1.1.1:37016 > 2.2.2.2:80 A ttl=45 id=13618 iplen=40 seq=3279582132 win=2048 ack=3457570278 Sleeping 15 seconds then retrying sendto in send_ip_packet: sendto(4, packet, 40, 0, 2.2.2.2, 16) => No route to host Offending packet: TCP 1.1.1.1:37016 > 2.2.2.2:80 A ttl=45 id=13618 iplen=40 seq=3279582132 win=2048 ack=3457570278 Sleeping 60 seconds then retrying (truncated for brevity) PF logs show that the packets are dropped due to rule 0 match: # tcpdump -n -e -ttt -s 1514 -r /var/log/pflog host 2.2.2.2 Nov 20 22:42:37.938337 rule 0/(match) block out on fxp0: 1.1.1.1.46363 > 2.2.2.2.80: . ack 834370022 win 2048 Nov 20 22:42:52.940776 rule 0/(match) block out on fxp0: 1.1.1.1.46363 > 2.2.2.2.80: . ack 1 win 2048 Nov 20 22:45:02.202499 rule 0/(match) block out on fxp0: 1.1.1.1.42175 > 2.2.2.2.80: . ack 2174811336 win 1024 Nov 20 22:45:17.206752 rule 0/(match) block out on fxp0: 1.1.1.1.42175 > 2.2.2.2.80: . ack 1 win 1024 Nov 20 22:46:17.194321 rule 0/(match) block out on fxp0: 1.1.1.1.42175 > 2.2.2.2.80: . ack 1 win 1024 Nov 20 22:47:12.874250 rule 0/(match) block out on fxp0: 1.1.1.1.37016 > 2.2.2.2.80: . ack 3457570278 win 2048 Nov 20 22:47:27.877828 rule 0/(match) block out on fxp0: 1.1.1.1.37016 > 2.2.2.2.80: . ack 1 win 2048 Nov 20 22:48:27.865343 rule 0/(match) block out on fxp0: 1.1.1.1.37016 > 2.2.2.2.80: . ack 1 win 2048 (truncated for brevity) Here are my PF rules # pfctl -s rules block return log all block return in quick inet6 all pass quick proto icmp all keep state allow-opts pass out quick all flags S/SA keep state allow-opts pass in log on fxp0 proto tcp from any to (fxp0) port = ssh flags S/SA keep state pass in on fxp0 proto tcp from any to (fxp0) port = www flags S/SA keep state pass quick on vlan0 all flags S/SA keep state allow-opts pass quick on vlan1 all flags S/SA keep state allow-opts Here is my pf.conf # cat /etc/pf.conf # SETTINGS set block-policy return set loginterface fxp0 set skip on lo scrub in # NAT/RDR nat on fxp0 from !(fxp0) to any -> (fxp0) # RULES block log all block in quick inet6 all pass quick proto icmp allow-opts pass out quick all allow-opts pass in log on fxp0 proto tcp from any to (fxp0) port 22 pass in on fxp0 proto tcp from any to (fxp0) port 80 pass quick on vlan0 allow-opts pass quick on vlan1 allow-opts
