On Fri, Nov 21, 2008 at 2:11 AM, Stuart Henderson <[EMAIL PROTECTED]> wrote: > On 2008-11-21, Joe S <[EMAIL PROTECTED]> wrote: >> How do I create a rule to ignore the flags S/SA > > Read pf.conf(5) about flags. > >
Thanks. I read everything but that man page. I added "flags any" to my "pass out" rule and my packets are no longer blocked by rule 0. # pfctl -s rules block return log all block return in quick inet6 all pass quick proto icmp all keep state allow-opts pass out quick all flags any keep state allow-opts pass in log on fxp0 proto tcp from any to (fxp0) port = ssh flags S/SA keep state pass in on fxp0 proto tcp from any to (fxp0) port = www flags S/SA keep state pass quick on vlan0 all flags S/SA keep state allow-opts pass quick on vlan1 all flags S/SA keep state allow-opts However, I'm still getting these messages: # nmap -sS -T5 -sV -p- 2.2.2.2 Starting Nmap 4.76 ( http://nmap.org ) at 2008-11-21 09:44 PST sendto in send_ip_packet: sendto(4, packet, 44, 0, 2.2.2.2, 16) => No route to host Offending packet: TCP 1.1.1.1:33717 > 2.2.2.2:38202 S ttl=57 id=19537 iplen=44 seq=3871189649 win=2048 <mss 1460> Sleeping 15 seconds then retrying Why would it say no route to host? I can reach that system just fine. (By the way, those are not the real IPs)
