Hi, I use OpenBSD v3.4 release
and PF on bridge interface.
look my pf.conf :
ext_if="xl0"
int_if="vr0"
block return in log all
pass in on $ext_if proto tcp from 192.168.0.0/22 port > 1023 to
{192.168.0.2, 192.168.0.3} port 139 keep state
#pass in on $int_if proto tcp from {192.168.0.2, 192.168.0.3}
port 139 to 192.168.0.0/22 port > 1023
ok look my simple net map :
internal 192.168.0.0/22 (192.168.0.2&3)
|
(vr0)
pf/bridge
(xl0)
|
internal protected with fw (192.168.0.165)
look with tcpdump my pb :
Jan 23 18:56:13.631188 rule 0/0(match): block in on vr0: 192.168.0.2.139 >
192.168.0.165.1068: S 860829:860829(0) ack 722533310 win 8760 <mss 1460>
(DF)
Syn-Ack is blocked !
If I decommented rules (after keep state rule)
Syn-Ack is passed !
I joigned two tcpdump file for two tcpdump record (on xl0 and vr0)
I tested 'quick' words on my rules,
but not solve my pb.
Possible help me please ?
brconfig -a :
bridge0: flags=41<UP,RUNNING>
Configuration:
priority 32768 hellotime 2 fwddelay 15 maxage 20
Interfaces:
xl0 flags=3<LEARNING,DISCOVER>
port 2 ifpriority 128 ifcost 55
vr0 flags=3<LEARNING,DISCOVER>
port 1 ifpriority 128 ifcost 55
Addresses (max cache: 400, timeout: 240):
..
Regards
[EMAIL PROTECTED]
vr0-139.tcpdump
Description: Binary data
xl0-139.tcpdump
Description: Binary data
