On Mon, Jun 23, 2003 at 02:44:49PM +0200, Kenny Gryp wrote: > What could be the cause of this?
1) Add 'keep state' to all 'pass' rules 2) Add 'log' to all 'block' rules 3) Turn on debug logging (pfctl -xm, see /var/log/messages) Without 'keep state', you have to manually ensure that packets of each connection can flow in both directions, which is both error-prone and impossible to do without passing too much traffic. I never filter statelessly for those reasons, if you do so on purpose, you'll have to debug yourself. It seems you wanted to include 'keep state' in your $tcp_options macro, but you're not using it on all tcp rules, and udp (and icmp) need 'keep state' as well, if you want to filter statefully. If you see blocked packets logged, compare them with your ruleset and verify why they are not passed (if they should be). If the debug log shows 'BAD state' messages, please quote a couple of them. Daniel
