On 2009-08-18, Rioux, Christophe <cri...@viseo.net> wrote: > I have some strange packet filtering on an openbsd 4.4 > > at the beginning a normal block all (not a "block in quick", but only a "block > in") > > block in log on em0 all > block out log on em0 all > > then I autorise some traffic: > > pass in on em0 from "172.30.251.0/24" > to "172.30.251.0/24" keep state > pass out on em0 from "172.30.251.0/24" > to "172.30.251.0/24" keep state > > > If I log the result, I see: > > Aug 17 17:41:02.521407 rule 42/(match) block in on em0: 172.30.251.131.2715 > > 172.30.251.141.2146: [|tcp] >=> rule 42 is the rule "block in log on em0 all".
There's something about that packet which causes it to not match an existing state (e.g. bad sequence number). New TCP states are normally only created from the initial handshake packets (default is flags S/SA). [|tcp] indicates that only part of the packet was captured; you might get something more useful if you increase snaplen in the tcpdump line (e.g. -s1500). You could also look for syslog entries (you might need pfctl -x misc).
