On Tue, Jul 04, 2006 at 12:12:51PM +0200, Daniel Rapp wrote: > pass out quick on $WAN proto tcp all flags S/SA
Why no 'keep state' here? You really only pass out SYNs, don't pass SYN+ACK back in, and neither pass further (non-SYN) packets? Makes no sense. > If i do a "tcpdump -e -n -ttt -vv -i pflog0" i get: > " > Jul 04 11:48:30.678318 rule 88/(match) [uid 0, pid 6857] pass in on sis3: > bbb.bbb.bbb.bbb.2916 > aaa.aaa.aaa.aaa.25: [|tcp] (DF) (ttl 120, id 41053, > len 40, bad cksum 0! differs by d68) > " > Bad checksum on incoming packets ?, could that be the problem? Retry with added -s 1700 to the tcpdump command. The default snaplen is too short, truncating packets ("[|tcp]"), producing the checksum warnings. > An thoughts ? I see nothing wrong with that dump. If that winsock error is reliable and means the server got a TCP RST, it almost certainly was the external peer sending it. You'll have to get a tcpdump capture of one connection that produces the error in the server, preferably on both interfaces of the bridge. Depending on traffic volume, it might be difficult to get, but try tcpdump'ing all port 25 traffic into a file, then wait until the next server error occurs, then filter the file using the peer's random port number. To prove that it's pf at fault producing the RST, you'll have to show that the server is receiving an RST, the RST was sent out from the bridge's internal interface, and that is has not arrived in on the bridge's external interface. Those peers don't happen to be all from China [1], by any chance? :) Daniel [1] http://www.lightbluetouchpaper.org/2006/06/27/ignoring-the-great-firewall-of-china/