> What happens if you limit this to one direction and/or interface? For > example: > > pass out quick on egress proto tcp from 192.168.89.55 to 192.168.92.55 port > 5001 keep state (pflow) >
Ok. Now it works, as long as the pflow rule is limited to (direction OR interface) AND no rule matching the packets from the opposite direction with pflow enabled follows. With only one rule in place I get one state table entry and perfect accounting data: /etc/pf.conf: set skip on lo pass out quick keep state (pflow) rtr-fra-01# pfctl -vss | grep -A2 5001 all tcp 192.168.89.55:38240 -> 192.168.92.55:5001 FIN_WAIT_2:FIN_WAIT_2 [1261840914 + 2108288] wscale 6 [123438922 + 5888] wscale 6 age 00:00:12, expires in 00:01:28, 809292:405808 pkts, 1213932408:21122148 bytes, rule 0, pflow rtr-fra-01# bsd-01# flow-print < bsdflow | grep 5001 192.168.89.55 192.168.92.55 6 38240 5001 1213932408 809292 192.168.92.55 192.168.89.55 6 5001 38240 21122148 405808 bsd-01# Thx a lot! Regards, Bernd
