On Sun, Jul 28, 2002 at 10:49:44PM -0700, mike schiffman wrote: > pass out proto tcp from any to any flags S/SA keep state
Try pass out from any to any allow-opts instead. pf, by default, blocks packets with IP options. If you want to pass them, use the 'allow-opts' rule parameter. Also, if you pass TCP packets statefully (with 'keep state'), pf will use the TCP flags to track the connection, and automatically drop certain combinations or sequences. If you don't want that, don't use 'keep state', but pass those packets statelessly. Daniel
