On Thu, May 18, 2006 at 05:24:28PM -0400, Chad M Stewart wrote: > Status: Enabled for 0 days 02:05:34 Debug: Urgent
The differences in the pfctl -si outputs look like it MUST be a block rule without 'log' matching those packets, after all. The grep in your /etc/pf.conf might have been incomplete for two reasons: a) you're using 'antispoof', which expands to multiple block rules, depending on the networks assigned to the interfaces. run the grep again, but against pfctl -sr output instead of /etc/pf.conf. does any of those block rules not have 'log', and could it match your packet? b) you're using anchors. that means the block-without-log rule we're looking for might be hiding in an anchor. either grep pfctl -a ... -sr for all anchors, or temporarily disable the anchor hooks (comment out the 'anchor' lines in /etc/pf.conf, and reload the ruleset) and check if the problem persists. Your ruleset is non-trivial in size, and uses references not defined within itself (addresses of interfaces, tables), so it's not easy to manually evaluate it given only the ruleset. Even if it's tricky on a production firewall, the best approach in debugging is to narrow the ruleset down. I'd (briefly) disable all anchors, then (temporarily) clear all tables. That would remove a significant portion of the possible reasons. Daniel
