> just curious: > Oct 23 08:51:59 yak /bsd: pf: loose state match: TCP x.x.x.x:80 x.x.x.x:80 > 207.46.98.139:1494 [lo=3575768324 high=3575785124 win=65535 > modulator=1611764520] [lo=4268367800 high=4268429135 win=16800 > modulator=2941226047] 10:10 R seq=3575768324 ack=4268367800 len=0 ackskew=0 > pkts=7:7 > is this logged for debugging? It is only logged if you do 'pfctl -x misc' or 'pfctl -x loud'. We loosen up the state machine during connection establishment or connection closing because stacks are frequently a little buggy during those times. The debug message is there because I used to investigate all of those occurences to see if we could handle it better.
In your case, both hosts had echanged FINs but not the final ACK. Then one of them sent an in-window TCP RST that wasn't an exact sequence match. PF allowed it because the connection was already closing. .mike
