Heya, I'm having a bit of trouble with return-rst and an ECN enabled host. I have a machine that lives on 192.168.0.3 and acts as a mailserver for a few internal networks. Because it shouldn't contact the outside world to send it's mail port 25 is blocked for this machine with the following pf rule:
block return-rst in log quick on sf1 inet proto tcp from 192.168.0.3 to ! 192.168.0.0/16 port = 25 Now, whenever I try to telnet (on port 25, just to test) to an outside IP address my connection times out instead of being refused. This is pflog entry for that connection attempt: Feb 14 08:34:02.357248 rule 2/0(match): block in on sf1: 192.168.0.3.22900 > 195.130.132.40.25: SWE 1696140415:1696140415(0) win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 1954494099 0> (DF) [tos 0x10] I've traced the problem down to the fact that 192.168.0.3 has ECN enabled. When I disable ECN on that host the connection gets refused immediately. Here's the pflog entry for that: Feb 14 08:33:42.544031 rule 2/0(match): block in on sf1: 192.168.0.3.9789 > 195.130.132.45.25: S 3275163967:3275163967(0) win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 1954494059 0> (DF) [tos 0x10] And now down to the question. How can I get pf to return-rst on a blocked TCP ECN connection? Just to make sure, I've tried adding allow-opts to that block rule, but that wouldn't load as allow-opts is only for pass rules. Any ideas? If needed I can post my complete pf.conf, but it's really only that specific rule I'm having trouble with. I'm running current from February 8 sources on the router/firewall (192.168.0.1), i386. The network card in there is an Adaptec quartet 62044 card, sf driver. 192.168.0.3 is running 3.2 stable, all patches installed. Also on i386, this time with a tl card, "Compaq Embedded Netelligent 10/100 TX" Thanks in advance. // nick
