Le 3 mai 09 ` 18:04, (private) HKS a icrit :
Setting the rule "pass quick from any to any" at the beginning of my pf.conf file doesn't solve the problem. I always have block on these packets .... Logs of pftop tool : pfTop: Up Rule 1-55/71, View: rules, Cache: 10000 RULE ACTION DIR LOG Q IF PR K PKTS BYTES STATES MAX INFO 0 Pass Any Q K 560 69035 96 all flags S/SA 1 Block Any Log 44 1772 0 drop all This is the option in the pf.conf file : set block-policy drop set skip on {gif0} set loginterface $ext_if set limit { states 100000, frags 50000 } set optimization normal set state-policy if-boundRemove that last line and it should work. If not, send the output of pfctl -s rules. -HKS
I removed the state-policy but it doesn't work. This is the result of pfctl -s rules : # pfctl -s rules scrub all no-df random-id fragment reassemble pass quick on enc0 all flags S/SA keep state block drop log all pass quick inet proto tcp from <public-ip> port = smtp to any flags S/ SA keep state pass quick inet proto tcp from <mail-server> port = smtp to any flags S/SA keep state pass quick inet proto tcp from any port = smtp to <public-ip> flags S/ SA keep state pass quick inet proto tcp from any port = smtp to <mail-server> flags S/SA keep state pass quick inet proto tcp from any to <public-ip> port = smtp flags S/ SA keep state pass quick inet proto tcp from any to <mail-server> port = smtp flags S/SA keep state pass quick inet proto tcp from <public-ip> to any port = smtp flags S/ SA keep state pass quick inet proto tcp from <mail-server> to any port = smtp flags S/SA keep state pass quick inet proto tcp from <public-ip> port = https to any flags S/ SA keep state pass quick inet proto tcp from <mail-server> port = https to any flags S/SA keep state pass quick inet proto tcp from any to <public-ip> port = https flags S/ SA keep state pass quick inet proto tcp from any to <mail-server> port = https flags S/SA keep state pass quick inet proto icmp all icmp-type echoreq keep state pass quick inet proto icmp all icmp-type echorep keep state pass quick proto ospf all keep state pass quick proto pfsync all keep state pass quick proto carp all keep state pass in quick on em3 proto esp from <vpn_noipencap> to <ip_public> keep state pass in quick on em3 proto udp from <vpn_noipencap> to <ip_public> keep state pass in quick on em3 from <vpn_ipencap> to <ip_public> flags S/SA keep state pass out quick on em3 from <ip_public> to any flags S/SA keep state Thanks.
