Matthias Apitz wrote:
Now my VC tries (for some reason which I don't understand as well) to
initiate a new TCP session here:
13:30:08.499026 IP 10.0.1.40.2546 > xxx.xxx.xxx.xxx.3233: S 49301289:49301289(0) ack
979701897 win 23360 <mss 536>
No, it doesn't. That's a SYN+ACK, not a SYN. You haven't shown us the
SYN packet.
the line in ipf.rules is:
pass out log first quick on em1 proto tcp from any to xxx.xxx.xxx.xxx flags S
keep state
Why the traffic 'TCP 10.0.1.40.2546 > xxx.xxx.xxx.xxx.3233: SYN' does not
match the rule?
Because SYN != SYN+ACK.
--
Carson
