On Tue, Jun 24, 2003 at 10:37:19PM +0200, Kenny Gryp wrote: > Jun 24 22:19:55 firewall /bsd: pf: BAD state: TCP 212.123.18.196:80 > 212.123.18.196:80 213.224.186.172:4004 [lo=2075491983 high=2075524103 win=1 > modulator=0] [lo=133175873 high=133175874 win=32120 modulator=0] 4:2 PA > seq=133175544 ack=2075491983 len=329 ackskew=0 pkts=3 dir=out,rev
Those state entries look as if they are created not based on the initial SYN, but on later packets. I think what you see is that your ruleset is passing the initial SYN packet of each connection without creating state, then creates state on a later packet of the TCP handshake, probably the SYN+ACK. Again, add 'keep state' to all your 'pass' rules. I understand you try to use the $tcp_options macro for that, but you still have 'pass' rules that don't explicitely have 'keep state' and don't use $tcp_options, either. I really mean it, add 'keep state' to literally ALL 'pass rules'. Daniel
