On Thu, Jul 03, 2003 at 05:31:02PM +0100, Dom De Vitto wrote: > Q. Duplicate packets get dropped by PF ?
No, pf has to pass them (if they match a state entry), because they could be retransmissions (an already passed packet can get lost on the way to the destination, and the source has to retransmit it in that case, so this may happen in simpler setups as well). In your setup, you have four interfaces, and potentially four state entries per connection. But if you try to create all four states, two pairs will collide (because the address/port quadruple is identical). There should be a solution for your setup that doesn't require four states (bound to the interface), so the discussion got side-tracked here. Add 'log' to all block rule, enable debug logging (pfctl -xm). Then reproduce the problem with a minimal ruleset (using keep state, but not a huge policy), then post the ruleset, blocked packets (from pflogd), and debug messages (from /var/log/messages). Daniel
