Stuart Henderson schrieb:
> ...
> turn up pfctl -x to misc or noisy and see if anything useful
> shows up in syslog.
Hi,
yes, I do find than in the syslog some cryptic lines:
Oct 13 17:53:32 zettachring1 /bsd: pf: BAD state: TCP out wire:
93.189.172.2:179 93.189.172.3:38167 stack: - [lo=1120879739
high=1120885531 win=16384 modulator=0 wscale=0] [lo=33691928
high=33708312 win=181 modulator=0 wscale=5] 4:4 PA seq=35845544
(35845544) ack=1120911735 len=19 ackskew=-31996 pkts=2292:4359
dir=in,rev
Oct 13 17:53:32 zettachring1 /bsd: pf: State failure on: 1 | 5
Hm, what does that mean?
> normally to find the matching rule you would use 'log' in the
> rules and 'tcpdump -neipflog0'.
Yes, I did add the log to any blocking rule. Than
tcpdump did show some expected packets (which I produced),
but no packets from the bridge.
Then I was confused and deleted all rules to see ...
.. and found, that even with no rule, pf is blocking
the bridge.
Since I found some hints, that pfs's implicite pass does
not support some extensions, I even added some pure pass
lines with "allow-opts".
Since I figured out, blind trying like that does not succeed,
I'm asking here.
Roger.
