On Fri, Nov 21, 2008 at 10:46 AM, Joe S <[EMAIL PROTECTED]> wrote: > I added "flags any" to my "pass out" rule and my packets are no longer > blocked by rule 0. > > # pfctl -s rules > block return log all > block return in quick inet6 all > pass quick proto icmp all keep state allow-opts > pass out quick all flags any keep state allow-opts > pass in log on fxp0 proto tcp from any to (fxp0) port = ssh flags S/SA > keep state > pass in on fxp0 proto tcp from any to (fxp0) port = www flags S/SA keep state > pass quick on vlan0 all flags S/SA keep state allow-opts > pass quick on vlan1 all flags S/SA keep state allow-opts > > However, I'm still getting these messages: > > # nmap -sS -T5 -sV -p- 2.2.2.2 > > Starting Nmap 4.76 ( http://nmap.org ) at 2008-11-21 09:44 PST > sendto in send_ip_packet: sendto(4, packet, 44, 0, 2.2.2.2, 16) => No > route to host > Offending packet: TCP 1.1.1.1:33717 > 2.2.2.2:38202 S ttl=57 id=19537 > iplen=44 seq=3871189649 win=2048 <mss 1460> > Sleeping 15 seconds then retrying > > Why would it say no route to host? I can reach that system just fine. > > (By the way, those are not the real IPs)
Perhaps you're hitting pf's default state limit? If you're going to be nmapping, I highly recommend doing it from a host that's not firewalled.
