On cs, aug 16, 2012 at 17:18:08 +0200, Christopher Zimmermann wrote: > On Thu, 16 Aug 2012 14:37:50 +0200 > LEVAI Daniel <[email protected]> wrote: > > > On cs, aug 16, 2012 at 14:26:05 +0200, LEVAI Daniel wrote: > > > On cs, aug 16, 2012 at 12:20:56 +0100, Kevin Chadwick wrote: > > > > > Any help would be appreciated. > > > > > > > > Works for me on 5.1 > > > > > > > > I don't think it's the rule but the combination of rules. Try reordering > > > > your ruleset. I've had a problem before but I forget or never found the > > > > specific reason. > > > > > > Okay, okay, I'm trying to get my head around this, but how do you > > > explain that changing *only* the 'synproxy' word to 'keep' in the exact > > > same rule makes it working again (not changing order, combination, > > > nothing, but only changing synproxy state to the default keep state)? > > > > There is definitely something wrong with pppoe + synproxy state: > > > > # pfctl -sr > > pass all flags S/SA > > pass in on pppoe0 inet proto tcp from <src> to <dst> port = 5555 flags S/SA > > synproxy state > > > > This is the only rule. Otherwise it's just 'pass all'. If I remove this > > rule too *or* change synproxy to keep, the connection is working. > > > > I can reproduce this on two different machines, with different ISPs and > > different NICs facing the ISPs using pppoe. > > > Do you filter on loopback? The handshake between proxy and server > process is done via loopback. You need to pass this traffic, too.
With, or without 'set skip on lo0' the symptoms are the same. Daniel -- LÉVAI Dániel PGP key ID = 0x83B63A8F Key fingerprint = DBEC C66B A47A DFA2 792D 650C C69B BE4C 83B6 3A8F
