Taken from deadly.org some problems with pf losing state information in by Timothy Dyck, eWEEK Labs ([EMAIL PROTECTED]) on Monday, December 09 @04:30AM
One thing people will notice in the pf.conf files is some rules that explicitly allow reply traffic through the firewall when a "keep state" parameter on the incoming traffic rule should have taken care of this automatically. Here's an example: pass in on $int_if proto tcp from $mail_relay_ok_net to $int_if port smtp keep state label "int_if_in_$srcaddr->$dstaddr_$dstport" pass in on $int_if proto udp from $name_server_ip port domain to $int_if keep state label "int_if_in_$srcaddr_$srcport->$dstaddr" # shouldn't need this line When I watched the log of blocked packets, I'd find that a small number of reply packets were getting blocked until I added reply rules like the second one above. It appeared that pf was losing track of the state of certain incoming connections and so generated reply traffic wasn't being correctly associated with incoming traffic. Anyone experienced this? It wasn't a big problem, but I shouldn't have needed those extra rules. This is with release OpenBSD 3.2. Thanks, Tim Dyck eWEEK Labs
