Daniel Hartmeier wrote: > On Wed, Mar 29, 2006 at 01:07:10PM +0100, Ian Chard wrote: > >> Can someone please help me track this down? > > Looks like you don't create state on the initial TCP SYN packet, but on > a subsequent packet (like, the SYN+ACK flowing in the reverse > direction). That's usually a mistake in the ruleset and not intentional. > > When a state is created from anything but the initial SYN, pf can't > honour TCP window scaling negotiated between the peers during the > handshake, and it will eventually block data segments that violate the > unscaled window. > > Make sure that all your 'pass keep state' rules which can possibly apply > to TCP packets also use 'flags S/SA' (so they only apply to initial > SYNs), and that you block other TCP packets by default.
Thanks *so* much for your help! There was indeed one errant rule right at the bottom of my long ruleset, which was keeping state on packets received on the "inside" interface rather than the "outside". I dropped the "keep state" from that line, and lo and behold everything's working swimmingly. Thanks again - Ian -- Ian Chard, Unix & Network Administrator | E: [EMAIL PROTECTED] Systems and Electronic Resources Service | T: 80587 / (01865) 280587 Oxford University Library Services | F: (01865) 242287
