kernel relink segfaults on ALIX
This is a fresh upgrade of current/i386 on an ALIX 2D3. Upon start, kernel relinking fails, with relink.log saying: (SHA256) /bsd: OK LD="ld" LDFLAGS="-g" sh makegap.sh 0x ld -T ld.script -X --warn-common -nopie -o newbsd ${SYSTEM_HEAD} vers.o ${OBJS} Segmentation fault (core dumped) *** Error 139 in /usr/share/relink/kernel/GENERIC (Makefile:1045 'newbsd': @echo ld -T ld.script -X --warn-common -nopie -o newbsd '${SYSTEM...) /usr/share/relink is empty, with /dev/wd0d 1001M801M150M84%/usr Am I missing something obvious? Jan
Trouble with OpenSMTPD - always getting 550 Invalid recipient
Hi. I'm trying to build an OpenSMPTD mail server for the first time to replace my aging Postfix box. No matter who I address inbound eMails to (local users or aliases), I always get 550: Invalid recipient in response on the sending server and in /var/log/maillog. I've tried more than a dozen configs, and I can't get past this problem. Domain anonymized for my comfort, but DNS is configured correctly. I've tried to comment everything possible -- if my comment and configs don't match, please let me know where I've gone astray! Here's my entire smtpd.conf file: # Random global options queue compression # Compress data in the queue max-message-size 25M expire 7d # Cryptographic Keys and Certificates pki mydomain.email certificate "/etc/ssl/mydomain.crt" pki mydomain.email key "/etc/ssl/private/mydomain.key" pki mydomain.email dhe auto # Define tables table blacklist file:/etc/mail/blacklist # Blacklist of irritating IPs table whitelist file:/etc/mail/whitelist # Whitelist for misconfigured IPs table aliases file:/etc/mail/aliases# Aliases accepted for delivery table account file:/etc/mail/account# Virtual mail accounts table domains file:/etc/mail/domains# Domains to accept mail for table users file:/etc/mail/users # User names with their own mailboxes table password file:/etc/mail/password # Passwords for users # Allow specific users to send messages as specific eMail addresses #table senders file:/etc/mail/senders # Configure interface & standards - add 'verify' to tls-require in the future. listen on egress tls-require hostname mydomain.email listen on egress smtps hostname mydomain.email listen on egress port submission tls-require auth # Reject troublemakers reject from source # Add other filters here? # Accept from "whitelisted" IPs that are slightly misconfigured accept from source # Receive eMails to addresses in the aliases table. accept from any for domain alias deliver to mbox # Receive eMails to addresses in the virtual account table. accept from any for domain virtual deliver to mbox # Receive eMails for local users accept from any for local deliver to mbox # Forward incoming eMails (from authenticated users) to their destination. accept for any relay The messages from my existing postfix server: Apr 18 23:31:08 sybil postfix/smtp[71679]: 55462205F0CD9: to=, relay=mydomain.email[98.76.54.32]:25, delay=2, delays=0.01/0.06/1.9/0.05, dsn=5.0.0, status=bounced (host mydomain.email[98.76.54.32] said: 550 Invalid recipient (in reply to RCPT TO command)) Apr 18 23:31:08 sybil postfix/smtp[71679]: 55462205F0CD9: to=, relay=mydomain.email[98.76.54.32]:25, delay=2, delays=0.01/0.06/1.9/0.06, dsn=5.0.0, status=bounced (host mydomain.email[98.76.54.32] said: 550 Invalid recipient (in reply to RCPT TO command)) And the messages from /var/log/maillog: Apr 19 03:31:06 leclerc smtpd[6384]: 8d44a173e36ff947 smtp event=connected address=12.34.56.78 host=olddomain.com Apr 19 03:31:08 leclerc smtpd[6384]: 8d44a173e36ff947 smtp event=starttls address=12.34.56.78 host=olddomain.com ciphers="version=TLSv1, cipher=DHE-RSA-AES256-SHA, bits=256" Apr 19 03:31:08 leclerc smtpd[6384]: 8d44a173e36ff947 smtp event=failed-command address=12.34.56.78 host=olddomain.com command="RCPT TO: ORCPT=rfc822;user1@mydomain.email" result="550 Invalid recipient" Apr 19 03:31:08 leclerc smtpd[6384]: 8d44a173e36ff947 smtp event=failed-command address=12.34.56.78 host=olddomain.com command="RCPT TO: ORCPT=rfc822;webmaster@mydomain.email" result="550 Invalid recipient" Apr 19 03:31:08 leclerc smtpd[6384]: 8d44a173e36ff947 smtp event=closed address=12.34.56.78 host=olddomain.com reason=quit Any assistance and insight would be greatly appreciated, as well as some information on how OpenSMTPD treats local users different from aliases and virtual accounts. Thanks.
Android (MTP) with OpenBSD: Tiny success story
I just connected my Android device to OpenBSD, and since I did not find any article on this subject, I want to share my experience. OpenBSD supports USB Mass Storage Device (used in usb drives) with umass(4). But Android uses MTP (file-level protocol, not block-level like umass), So OpenBSD launched ugen(4) to give user-space tools access to some unknown USB device. I installed ``simple-mtpfs`` package that uses fuse (user-space fs). $ mtp-connect $ simple-mtpfs /mnt and it worked! You only need to be sure that your screen is unlocked. For some reason my Android does not allow to connect to it. There is also ``devel/adb`` port to debug and install .apk, but I haven't tried it yet.
Re: Virtualbox vs latest snapshot
On Tue, Apr 10, 2018 at 6:50 PM, Stuart Henderson wrote: > On 2018-04-10, csszep wrote: > > Hi! > > > > I installed the latest 04.10 snapshot, the install procedure went fine, > but > > after reboot the VM stucks at endless boot loop . > > > > It prints only the "booting hda0:/bsd" line.. before reboot > > > > The 04.03 snapshot works fine. > > > > There is a similar experience for someone with Virtualbox 5.2.8? > > > > There's a recent bootloader problem, possibly following the update > to clang 6, that affects some machines. I suspect this might be > involved here. > > To confirm if this is the problem, can you install the older > snapshot as normal, then update kernel and file sets to the newer > one? (follow the "Upgrade without the install kernel" steps on > http://www.openbsd.org/faq/upgrade63.html, except skip the part > about running installboot do install a new bootloader). > > Can you report back either way please (preferably to bugs@, with > dmesg and anything special about the VM config).. If it is the > same thing it would be useful for developers to have a way to > reproduce the problem that doesn't involve specific hardware.. > > FWIW, I noticed that the latest snapshot installed BOOT 3.39, which booted kernels in VirtualBox just fine for me. Thanks again. --david
Re: dmesg for edgerouter lite
Thus said Sean Murphy on Fri, 13 Apr 2018 22:03:48 -0400 Hello all, Also upgraded the ERL to 6.3, dmesg to follow. You might enjoy this post: https://www.undeadly.org/cgi?action=article;sid=20180418073437
my first experience of growfs
hi all . i found a very nice page ( http://fuguita.org/index.php?BBS%2F3 ) . so i follow it , then i manage to clone HDD1 to HDD2 ( fdisk , disklabel & growfs ) 1) HDD1 < HDD2 2) dd HDD1 to HDD2 (by archlinux) 3) power on HDD2 boot bsd.rd fdisk -e sd0 -> edit 3 disklabel -E sd0 -> b -> c a fsck -fy /dev/rsd0a growfs /dev/rsd0a /dev/rsd0a reboot detail is on http://openbsd-akita.blogspot.jp/2018/04/growfs.html but there may be some mistake , please point out them . --- regards
Re: Capturing ddb output when "boot reboot" fails
Thanks Stuart. > Try "call cpu_reset". That made the machine reboot cleanly. Afterwards, dmesg and dmesg.boot had captured both the 6.3 boot and the 6.3 reboot, but the ddb session in between was missing. Is there a ddb command that flushes the session log to the message buffer? > Or take photos and please transcribe the most > important bits - at least the panic / crash string and function names > from 'trace' - it's a lot quicker to figure out who needs to see it > if those are available in plaintext in the email. (==) Using system config directory "/usr/X11R6/share/X11/xorg.conf.d" uvm_fault(0xd0c10110, 0xd44fa000, 0, 1) -> e kernel: page fault trap, code=0 Stopped at _rb_min+0x12: movl0(%edx),%esi ddb{0}> trace _rb_min(d09c33a8,d1127004) at _rb_min+0x12 uvm_pmr_get1page(1,0,f5ea0798,0,0,0) at uvm_pmr_get1page+0x105 uvm_pmr_getpages(1,0,0,1,0,1,2,f5ea0798) at uvm_pmr_getpages+0x1a3 uvm_pagealloc(d610d630,4000,0,0) at uvm_pagealloc+0x155 uvn_get(d610d630,4000,0,f5ea0854,f5ea085c,0,4,0) at uvn_get+0xbc uvm_fault(d6513310,fa97000,0,4) at uvm_fault+0xaf6 trap() at trap+0x602 --- trap(number -2107169536) --- end of kernel 0x14: ddb{0}> Rodney
DRM and IOCTL missing requests
Hello, OpenBSD doesn't implement some ioctl requests for drm devices, ie DRM_PRIME_*. Are there any (and surely obvious) reasons for that ? Nonetheless, is it possible to patch the libdrm headers to keep them undefine, that way it would lead to straightforward errors, instead of having only a errno pointing out an invalid argument. Of course, some functions will drop too, but it would be much safer. Finally, are there any way to implement it (hints to do so) ? Thanks
Re: thank you for 6.3
Hi, I am running 6.3 on my diy PC as a desktop and it just works! Thanks from me to all openBSD developers... On 18 April 2018 19:15:02 Scott Bonds wrote: Under 6.2 my laptop would hang a few hours after waking from sleep, and it was my own damn fault for running an unsupported config (Lenovo x200 + coreboot + SeaBIOS). But after upgrading to 6.3 I haven't been able to get it to hang and I find myself back in 'it just works' land which is so, so nice. So nice. I don't know who to thank, and maybe the dev that fixed my issue wouldn't know *they* fixed it, but...thank you.
No place for "wsfontload" and "wsconscfg" in rc?
Hello, It may sound silly: nobody use console these days (except emergency), but I am curious: I want to load font and set it using wsconsctl display.font I also want to change display type. I can do all of that in rc.local, but there is a separeate place for wsconsctl : /etc/wsconsctl.conf I want to use it, but I can't set font.display there because it is called by rc, hence before rc.local, before my font loaded. And there is no place for wsconscfg except rc.local. In NetBSD they solved it by having separate file for all wscons* stuff https://www.daemon-systems.org/man/wscons.conf.5.html In FreeBSD they set everything in rc.conf And OpenBSD has: 1) /etc/kbdtype for kbd (its weird because I can use keyboard.ecnoding in /etc/wsconsctl.conf) 2) /etc/wsconsctl.conf (for everything else exception font loading and virtual display management) So, there is no place for fonts. And there is no place for wsconscfg (if I want to creareate display changing its type I should set it to rc.local) I like NetBSD approach here, and it seems that it can be implemented using simple ksh or perl script. One may say that is it too complicated: why create separate config file for something that could be done with 3 lines in rc.local. But then why do we have /etc/kbdtype and /etc/wsconsctl.conf ? Ilya
thank you for 6.3
Under 6.2 my laptop would hang a few hours after waking from sleep, and it was my own damn fault for running an unsupported config (Lenovo x200 + coreboot + SeaBIOS). But after upgrading to 6.3 I haven't been able to get it to hang and I find myself back in 'it just works' land which is so, so nice. So nice. I don't know who to thank, and maybe the dev that fixed my issue wouldn't know *they* fixed it, but...thank you.
Re: NFS server down, again, and again, and again...
On Wed, Apr 18, 2018 at 01:08:01PM -0400, Rupert Gallagher wrote: > This is all I managed to retrieve from the logs (/var/log/daemons, > /var/log/messages): > > Mar 12 09:27:20 server mountd[50607]: Socket disconnected > Mar 29 18:05:30 server mountd[52162]: Socket disconnected > Apr 16 12:04:07 server mountd[66430]: Socket disconnected > Apr 17 17:55:26 server mountd[14081]: Socket disconnected > > No messages from nfsd and portmap. > > If the logs are true, then mountd is the daemon that is causing problems. > > The manual says > > > -d Enable debugging mode. mountd will not detach from the > >controlling terminal and will print debugging messages to stderr. > > The above option does not work, because it detaches from the terminal: > > > > doas /sbin/mountd -d > > Here we go. > This is how it works when your system is normal: $ doas touch /etc/exports $ doas mountd -d Here we go. Getting export list. unexporting / / unexporting /home /home unexporting /tmp /tmp unexporting /usr /usr unexporting /usr/X11R6 /usr/X11R6 unexporting /usr/local /usr/local unexporting /usr/obj /usr/obj unexporting /usr/ports /usr/ports unexporting /usr/src /usr/src unexporting /var /var unexporting /tmpfs /tmpfs Getting mount list. * waiting here in foreground * > I tried "mountd_flags=-d" in rc.conf.local, and rebooted the whole OS, > because mountd refuses soft restart. As a result, the OS refuses to boot. > System crashed. On this point, ``rcctl restart mountd'' works fine. Restarting mountd will not harm things already mounted, they will already be handled by one of the running nfsd processes. Also, ``pkill -1 mountd'' tends to work fine as well. You can verify this when you adjust /etc/exports by using ``showmount -e'', making a new or removing an exports entry, SIGHUP the mountd process, and check showmount again. I have never needed to reboot just to reload/restart mountd. You may want to revisit how you set these machines up, as it is likely that cognitive bias from your 30+ years of experience is making you miss something simple. > > On 18 April 2018 2:47 AM, IL Ka wrote: > > > You could use ktrace(1) to trace all calls and then use kdump(1) to read > > them, and may help you to find what cause it to die, but it may be tricky > > for anyone except nfsd developer.. > > You can also try to find person who supports it by looking at last commits > > to: > > https://github.com/openbsd/src/blame/master/sbin/nfsd/nfsd.c > > and email this person, but I do not know if it will help, or talk to people > > on bugs@ list. > > > > Or you can move to samba/smbd: SMB must have good support in Windows. > > > > On Wed, Apr 18, 2018 at 2:53 AM, Rupert Gallagher > > wrote: > > > >>> Do you mean nfsd server dies? > >> > >> I mean the NFS service as delivered by nfsd, portmap and mountd. > >> > >>> Does it provide core dump? > >> > >> No! > >> > >>> You do not need to restart it > >> manually: just create script that checks for server existence (like > >> ``/etc/rc.d/nfsd check``) and run it if it is dead. > >> I usually prepare my servers from source with custom patches and settings. > >> When a server dies on me, it makes a lot of noise in the logs, and it > >> happens rarely. In 30+ years of activity, I have never restarted a > >> production server because of clients using it! > >> > >> NFS is an exception. I am using the obsd default, and it dies on me under > >> load and without logs. It is unreliable.
Re: NFS server down, again, and again, and again...
This is all I managed to retrieve from the logs (/var/log/daemons, /var/log/messages): Mar 12 09:27:20 server mountd[50607]: Socket disconnected Mar 29 18:05:30 server mountd[52162]: Socket disconnected Apr 16 12:04:07 server mountd[66430]: Socket disconnected Apr 17 17:55:26 server mountd[14081]: Socket disconnected No messages from nfsd and portmap. If the logs are true, then mountd is the daemon that is causing problems. The manual says > -d Enable debugging mode. mountd will not detach from the >controlling terminal and will print debugging messages to stderr. The above option does not work, because it detaches from the terminal: > > doas /sbin/mountd -d > Here we go. I tried "mountd_flags=-d" in rc.conf.local, and rebooted the whole OS, because mountd refuses soft restart. As a result, the OS refuses to boot. System crashed. On 18 April 2018 2:47 AM, IL Ka wrote: > You could use ktrace(1) to trace all calls and then use kdump(1) to read > them, and may help you to find what cause it to die, but it may be tricky for > anyone except nfsd developer.. > You can also try to find person who supports it by looking at last commits to: > https://github.com/openbsd/src/blame/master/sbin/nfsd/nfsd.c > and email this person, but I do not know if it will help, or talk to people > on bugs@ list. > > Or you can move to samba/smbd: SMB must have good support in Windows. > > On Wed, Apr 18, 2018 at 2:53 AM, Rupert Gallagher wrote: > >>> Do you mean nfsd server dies? >> >> I mean the NFS service as delivered by nfsd, portmap and mountd. >> >>> Does it provide core dump? >> >> No! >> >>> You do not need to restart it >> manually: just create script that checks for server existence (like >> ``/etc/rc.d/nfsd check``) and run it if it is dead. >> I usually prepare my servers from source with custom patches and settings. >> When a server dies on me, it makes a lot of noise in the logs, and it >> happens rarely. In 30+ years of activity, I have never restarted a >> production server because of clients using it! >> >> NFS is an exception. I am using the obsd default, and it dies on me under >> load and without logs. It is unreliable.
Re: OpenBSD blocks IPsec traffic
On Wed, 18 Apr 2018 15:45:04 +0200 "C. L. Martinez" wrote: > Thanks Marko, but I have found the problem. > > These rules are under anchor sub-group rules ... Moving these rules > to top after "block log all", all it is working ... I'm glad you made it work. > Maybe is it a bug with anchor rules? I couldn't comment on this, I don't write PF code, just rulesets :) However, before considering the possibility of a bug, I would first check if rule order in pf.conf matches output of `pfctl -vvsr'. ruleset-optimization is by default set to "basic" (read more in pf.conf(5)), so rule order you see in pf.conf is often not rule order that you get in pfctl -vvsr. Happy firewalling, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: OpenBSD blocks IPsec traffic
Thanks Marko, but I have found the problem. These rules are under anchor sub-group rules ... Moving these rules to top after "block log all", all it is working ... Maybe is it a bug with anchor rules? On Wed, Apr 18, 2018 at 3:16 PM, Marko Cupać wrote: > On Wed, 18 Apr 2018 15:01:24 +0200 > "C. L. Martinez" wrote: > > > Hi all, > > > > I am trying to configure an ipsec tunnel (host-to-host) between two > > hosts that go through an openbsd firewall. Tunnel is established, but > > when I try to, for example, connect via ssh from one host to the > > other, pf blocks traffic: > > > > Apr 18 12:53:00.286351 rule 24/(match) [uid 0, pid 19127] block out on > > vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 1 len 100 (DF) > > [tos 0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f) > > Apr 18 12:53:02.292330 rule 24/(match) [uid 0, pid 19127] block out on > > vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 2 len 100 (DF) > > [tos 0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f) > > Apr 18 12:53:06.300396 rule 24/(match) [uid 0, pid 19127] block out on > > vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 3 len 100 (DF) > > [tos 0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f) > > Apr 18 12:53:14.324382 rule 24/(match) [uid 0, pid 19127] block out on > > vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 4 len 100 (DF) > > [tos 0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f) > > Apr 18 12:53:30.356437 rule 24/(match) [uid 0, pid 19127] block out on > > vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 5 len 100 (DF) > > [tos 0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f) > > > > To do some tests, I have configured the following rules: > > > > pass in inet from 172.22.55.2 to 172.22.59.6 flags S/SA keep state > > (if-bound) > > pass in inet from 172.22.59.6 to 172.22.55.2 flags S/SA keep state > > (if-bound) > > > > Any idea? > > Hard to say without complete ruleset, but from what I see here, your > rule 24 blocks outbound esp from 172.22.59.6 to 172.22.55.2 on vio0, > while no other rule after that (or one before that with 'quick' > keyword) permits it. > > Check exact line with pfctl -vvsr. Add either dafault 'pass out' > somewhere below (I prefer it at the end of my ruleset, as I have so far > never blocked out stuff I already passed in), or pass out exact traffic > you need, eg: > > pass out on vio0 proto esp from 172.22.59.6 to 172.22.55.2 > > Hope this helps, > > -- > Before enlightenment - chop wood, draw water. > After enlightenment - chop wood, draw water. > > Marko Cupać > https://www.mimar.rs/ >
Re: OpenBSD blocks IPsec traffic
On Wed, 18 Apr 2018 15:01:24 +0200 "C. L. Martinez" wrote: > Hi all, > > I am trying to configure an ipsec tunnel (host-to-host) between two > hosts that go through an openbsd firewall. Tunnel is established, but > when I try to, for example, connect via ssh from one host to the > other, pf blocks traffic: > > Apr 18 12:53:00.286351 rule 24/(match) [uid 0, pid 19127] block out on > vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 1 len 100 (DF) > [tos 0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f) > Apr 18 12:53:02.292330 rule 24/(match) [uid 0, pid 19127] block out on > vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 2 len 100 (DF) > [tos 0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f) > Apr 18 12:53:06.300396 rule 24/(match) [uid 0, pid 19127] block out on > vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 3 len 100 (DF) > [tos 0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f) > Apr 18 12:53:14.324382 rule 24/(match) [uid 0, pid 19127] block out on > vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 4 len 100 (DF) > [tos 0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f) > Apr 18 12:53:30.356437 rule 24/(match) [uid 0, pid 19127] block out on > vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 5 len 100 (DF) > [tos 0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f) > > To do some tests, I have configured the following rules: > > pass in inet from 172.22.55.2 to 172.22.59.6 flags S/SA keep state > (if-bound) > pass in inet from 172.22.59.6 to 172.22.55.2 flags S/SA keep state > (if-bound) > > Any idea? Hard to say without complete ruleset, but from what I see here, your rule 24 blocks outbound esp from 172.22.59.6 to 172.22.55.2 on vio0, while no other rule after that (or one before that with 'quick' keyword) permits it. Check exact line with pfctl -vvsr. Add either dafault 'pass out' somewhere below (I prefer it at the end of my ruleset, as I have so far never blocked out stuff I already passed in), or pass out exact traffic you need, eg: pass out on vio0 proto esp from 172.22.59.6 to 172.22.55.2 Hope this helps, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
OpenBSD blocks IPsec traffic
Hi all, I am trying to configure an ipsec tunnel (host-to-host) between two hosts that go through an openbsd firewall. Tunnel is established, but when I try to, for example, connect via ssh from one host to the other, pf blocks traffic: Apr 18 12:53:00.286351 rule 24/(match) [uid 0, pid 19127] block out on vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 1 len 100 (DF) [tos 0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f) Apr 18 12:53:02.292330 rule 24/(match) [uid 0, pid 19127] block out on vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 2 len 100 (DF) [tos 0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f) Apr 18 12:53:06.300396 rule 24/(match) [uid 0, pid 19127] block out on vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 3 len 100 (DF) [tos 0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f) Apr 18 12:53:14.324382 rule 24/(match) [uid 0, pid 19127] block out on vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 4 len 100 (DF) [tos 0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f) Apr 18 12:53:30.356437 rule 24/(match) [uid 0, pid 19127] block out on vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 5 len 100 (DF) [tos 0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f) To do some tests, I have configured the following rules: pass in inet from 172.22.55.2 to 172.22.59.6 flags S/SA keep state (if-bound) pass in inet from 172.22.59.6 to 172.22.55.2 flags S/SA keep state (if-bound) Any idea?