On Tue, Dec 16, 2003 at 06:41:55PM +0100, [EMAIL PROTECTED] wrote: > from my debugging, the first connection (which works) goes from one > interface to pf then to the ountbound interface (keep state make the > return). > > and then with tcpdump on the $int_client I see the other connection > (the SYN) and no evaluation at all in pf (pfctl -vss) and tcpdump on > pflog0. > > So the packet does not go through pf when the keep state feature is enabled.
Sounds like the source/destination address/port pair is reused before the state is removed. For instance, if the first connections uses 10.1.2.3:789 <-> 10.2.3.4:514, the client is not allowed to reuse source port 789 before 2MSL (about 120 seconds) for another connection to 10.2.3.4:514. If it does, it violates TCP, and confuses pf. Enable debug logging (pfctl -xm), reproduce the problem, then check /var/log/messages for pf related entries. And compare with any state entries (pfctl -vvss) related to such connections. Daniel
