TL;DR: I have filtering situation that I imagine is a bit unusual which I wish to use to work around a problem with an ISP; to do it I need to filter some packets _before_ they're matched by the PF states.
First the background, then what I want to do to work around the issue. Background: I've go an OpenBSD 5.1 Soekris box as my local firewall/NAT box. We have an ISP connection that receives sporadic and spurious RST packets for outbound connections. Some connections work, and some are aborted with an RST very soon after opening. Our ISP say that have no stateful stuff and the only real filtering they do is packet dropping in some circumstances (I was imagining a stateful firewall running out of state memory somewhere). Now I have a new hypothesis; I have yet to prove it: the ISP's backhaul has redundant links with stateful firewalls on them, and they do not synchronise fast enough. Under this hypothesis, our outbound SYN goes out and establishes a connection and some state in a firewall on an outbound link somewhere. Further packets on that connection go out and are sent down another link whose firewall does not yet know about the new connection, eliciting am RST from the that firewall. This would explain why this seems to happen at the start of a connection, but successful connections can stay up for a very long time. The hack: Barring getting the ISP or their backhaul to trace this (and maybe dispatch packets to the links based on hash instead of maybe round robin), I was proposing to drop inbound RST packets altogether at my local firewall. This has obvious downsides, but should generally produce happiness in local applications because the spurious RST packets won't abort connections and TCP will recover as soon as the other (hypothetical) firewalls learn the state. To do this I need to filter inbound packets before PF's "known states first" stuff matches the RST and passes it back in. Because we use NAT on outbound connections I must establish state, so I was proposing something looking like this: ISP -> satellite-modem -> FW Inside my local firewall: interface-with-stateless-PF-filtering drop inbound RST packets here vlan (or something) with stateful rules PF rules doing NAT etc but I don't know how to set this up. I was figuring the stateless rules would look a bit like this: drop quick on $if_sat flags R/R no state pass in on $if_sat binat to 188.8.131.52 Ignore the bad syntax on that second rule. Then internally I'd have some kind of virtual interface with 184.108.40.206 on it running conventional NAT rules; those currently running on my $if_sat would be moved to here. Can someone point me in a direction to set something like this up please? Or to suggest a better approach to prefiltering packets? Personally I'd prefer to have a mode for PF where it ran all packets through the rules regardless of state for some pre-filtering and then let my put in a rule like: pass in quick on $if_nat matching states after the prefiltering, to do PF's usual match-states-first at that point, with the conventional rules following. Suggestions welcomed! Cheers, -- Cameron Simpson <c...@zip.com.au> Japanese phrase for the day: ikajanai ``(lit.) I am not a squid'' Made-up Japanese word for the day: ika-dou ``The way of the squid''. - Jeffrey Eric Francis Friedl, jfri...@omron.co.jp, DoD##4