On Thu, 16 Aug 2012 14:37:50 +0200 LEVAI Daniel <l...@ecentrum.hu> wrote:
> On cs, aug 16, 2012 at 14:26:05 +0200, LEVAI Daniel wrote: > > On cs, aug 16, 2012 at 12:20:56 +0100, Kevin Chadwick wrote: > > > > Any help would be appreciated. > > > > > > Works for me on 5.1 > > > > > > I don't think it's the rule but the combination of rules. Try reordering > > > your ruleset. I've had a problem before but I forget or never found the > > > specific reason. > > > > Okay, okay, I'm trying to get my head around this, but how do you > > explain that changing *only* the 'synproxy' word to 'keep' in the exact > > same rule makes it working again (not changing order, combination, > > nothing, but only changing synproxy state to the default keep state)? > > There is definitely something wrong with pppoe + synproxy state: > > # pfctl -sr > pass all flags S/SA > pass in on pppoe0 inet proto tcp from <src> to <dst> port = 5555 flags S/SA > synproxy state > > This is the only rule. Otherwise it's just 'pass all'. If I remove this > rule too *or* change synproxy to keep, the connection is working. > > I can reproduce this on two different machines, with different ISPs and > different NICs facing the ISPs using pppoe. Do you filter on loopback? The handshake between proxy and server process is done via loopback. You need to pass this traffic, too. Christopher
