On Thu, Oct 21, 2004 at 12:56:44AM -0500, Justin Krejci wrote:
> Here is from one of my servers, the first "pass in" rule is the problem, as
> soon as I removed "keep state" there are no problems with anything and when
> I add "keep state" back in, the problems return.
Your current ruleset is pretty odd, I can't explain why it works at all
(or even better than with 'keep state'). For an incoming connection,
the TCP SYN would pass without creating state, and the outgoing SYN+ACK
reply would create state, including sequence number modulation. I think
that should be breaking the handshake.
a) change your default block rule to
block logon $ExtIf all label "block all"
so outgoing packets are blocked by default and virtual interfaces
like loopback are not affected.
b) add 'flags S/SA' to all 'pass tcp' rules
c) re-add 'keep state' to all 'pass' rules
d) make sure all states are flushed (pfctl -Fs)
e) reproduce the problem
Possibly, connections will be refused now, and pflog shows entries. Also
enable pfctl -xm and check /var/log/messages.
If this shows no effect (i.e. connections can still be established but
stall), try to capture one such connection with tcpdump -nvvvSpi dc0
from TCP handshake to the point of stall.
Daniel
