On Fri, Mar 13, 2009 at 10:25:15AM +0100, Jeremie Le Hen wrote: > % Mar 13 08:18:52 yoda /netbsd: pf: BAD state: TCP 82.233.239.98:39225 > 82.233.239.98:39225 88.187.38.85:80 [lo=3443494040 high=3443494041 win=2048 > modulator=0] [lo=0 high=1 win=1 modulator=0] 2:0 S seq=3041360721 ack=0 len=0 > ackskew=0 pkts=1:0 dir=out,fwd > M% ar 13 08:18:52 yoda /netbsd: pf: State failure on: 2 | 6
This message means there already is a state entry for a connection from 82.233.239.98:39225 to 88.187.38.85:80. There must have been some outgoing packet that created the state entry. If it wasn't from nmap, what else was it from? If it was from nmap, obviously what has failed wasn't the FIRST sendto()... > Also, in my previous email I described an unexpected behaviour in my own > understanding. When I disable state tracking, legitimate outward > connections still work. The SYN packet is obviously allowed to leave, > but pf doesn't record the connection state so the SYN/ACK response > should be dropped. this doesn't seem to be the case as the box doesn't > turn deaf :). Explanation? You have to look at your entire ruleset, not just the 'pass out' rule. Either you don't have a generic block rule (default deny policy), or you have another 'pass in' rule which matches the return packets. If a packet doesn't match ANY rule in your ruleset, it will pass. Daniel
