List Info

Thread: Re: connect(): Operation not permitted
Re: connect(): Operation not permitted
user name
 2008-05-18 05:33:51 
On May 18, 2008, at 9:19 AM, Matthew Seaman wrote:

> Johan Ström wrote:
>
>> drop all traffic)? A check with pfctl -vsr reveals
that the actual  
>> rule inserted is "pass on lo0 inet from
123.123.123.123 to  
>> 123.123.123.123 flags S/SA keep state". Where
did that "keep state"  
>> come from?
>
> 'flags S/SA keep state' is the default now for tcp
filter rules --  
> that
> was new in 7.0 reflecting the upstream changes made
between the 4.0  
> and 4.1
> releases of OpenBSD.  If you want a stateless rule,
append 'no state'.
>
> http:
//www.openbsd.org/faq/pf/filter.html#state

Thanks! I was actually looking around in the pf.conf manpage
but  
failed to find it yesterday, but looking closer today I now
saw it.
Applied the no state (and quick) to the rule, and now no
state is  
created.
And the problem I had in the first place seems to have been
resolved  
too now, even though it didn't look like a state problem..
(started to  
deny new connections much earlier than the states was full,
altough  
maybee i wasnt looking for updates fast enough or
something).

Anyways, thanks to all helping me out, and of course thanks
to  
everybody involved in FreeBSD/pf and all for great products!
Cannot be  
said enough times
;)_______________________________________________
freebsd-pffreebsd.org mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"
Re: connect(): Operation not permitted
user name
 2008-05-18 12:29:19 
On Sun, May 18, 2008 at 3:33 AM, Johan Ström <johanstromnet.se> wrote:
> On May 18, 2008, at 9:19 AM, Matthew Seaman wrote:
>
>> Johan Ström wrote:
>>
>>> drop all traffic)? A check with pfctl -vsr
reveals that the actual rule
>>> inserted is "pass on lo0 inet from
123.123.123.123 to 123.123.123.123 flags
>>> S/SA keep state". Where did that
"keep state" come from?
>>
>> 'flags S/SA keep state' is the default now for tcp
filter rules -- that
>> was new in 7.0 reflecting the upstream changes made
between the 4.0 and
>> 4.1
>> releases of OpenBSD.  If you want a stateless rule,
append 'no state'.
>>
>> http:
//www.openbsd.org/faq/pf/filter.html#state
>
> Thanks! I was actually looking around in the pf.conf
manpage but failed to
> find it yesterday, but looking closer today I now saw
it.
> Applied the no state (and quick) to the rule, and now
no state is created.
> And the problem I had in the first place seems to have
been resolved too
> now, even though it didn't look like a state problem..
(started to deny new
> connections much earlier than the states was full,
altough maybee i wasnt
> looking for updates fast enough or something).
>

I'd be willing to bet it's because you're reusing the source
port on a
new connection before the old state expires.

You'll know if you check the state-mismatch counter.

Anyway, glad you found a resolution.

-Kian
_______________________________________________
freebsd-pffreebsd.org mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"
[1-2]

about | contact  Other archives ( Real Estate discussion Medical topics )