On Fri, May 06, 2005 at 01:35:12PM +0200, Didier Wiroth wrote: > I've to disable pf to be able to make cvsup updates. > > Tcpdump on pflog0 does not show any blocked/dropped traffic.
are you actually having 'log' in every instance of 'block' action in pf.conf? if disabling pf lets everything work, but enabling pf makes it not work, clearly something in the pf.conf is causing this[1]. i think this is where people are exaspirated to suggest again for those who make such requests for a little help with the situation really ought to have posted their entire pf.conf with no [EMAIL PROTECTED] 'pertinent sections only'... :/ if indeed there are no lines with 'block' who do not have a 'log', and no 'route-to' action or similar, then maybe it makes sense to turn to looking at any scrub/rdr you're doing. if it works fine with pf disabled, you ought to be able to safely eliminate all 'rdr's and re-test. i suppose worst case, you could make a 'pass quick all' rule, and put it as the first rule - retest; if that works ok, then move that rule down a line through the ordering of the rules once at-a-time and retest at each step. the first time it fails, you found your offender - but that is a real crappy way to do the testing, it seems. if you have that as the last rule and it works ok, but doesn't work without it, it's being matched by a block rule or a rdr or something. you could reset the counters on per-rule stats and then try the cvsup a zillion times real quick without doing much else and see which rule has the highest counter too. jared [1] unless the pf.conf is 1 line that says 'pass all', or maybe 0 lines even... etc. -- [ openbsd 3.7 GENERIC ( apr 27 ) // i386 ]
