|
List Info Thread: outgoing LAN traffic always in "keep state"
[1]
|
||||||||||||
|
about | contact Other archives ( Real Estate discussion Medical topics ) |
||||||||||||
outgoing LAN traffic always in "keep state" |
|
List Info Thread: outgoing LAN traffic always in "keep state"
[1]
|
||||||||||||
|
about | contact Other archives ( Real Estate discussion Medical topics ) |
||||||||||||
infoweapons.com> wrote:
> one note, i observe that reply packets can match a
rule(s) on the
> internal interface.
When it passes through the firewall and out towards the LAN,
right?
> > #normalize outgoing packets IP ID field
> > scrub log on vr0 all random-id fragment
reassemble
Aside: doesn't scrubbing create a state?
This doesn't look like a dump from pfctl, since it has
macros in it.
Can you double-check the active ruleset and make sure it is
equivalent
to what you have in your config file?
pfctl -s rules
I notice that your list macros $lan and $wan have just one
element in
them. This is illegal syntax on OpenBSD, so maybe your
ruleset isn't
loading due to the syntax and hence packets are being
evaluated
against an old ruleset, maybe the default.
Another handy thing is to run "pfctl -s rules -v
-v" twice, with a
decent delay in between, and see what rules are getting
evaluated.
PS: Please don't top-post.
--
"I sometimes have delusions of adequacy" --
Woody Allen
Security "guru" for rent or hire -