On Wed, Sep 05, 2018 at 05:14:14PM +0000, Bob Smith wrote: > I'm banging my head against a brick wall here trying to figure out why PF (on > OpenBSD 6.3) is allowing some packets but blocking others ? > Here's the tcpdump: > Sep 05 18:07:45.084191 rule 39/(match) pass in on vlan108: 192.0.2.150.49156 > > 198.51.100.158.20001: udp 47 > Sep 05 18:07:45.084220 rule 39/(match) pass out on em2: 192.0.2.150.49156 > > 198.51.100.158.20001: udp 47 > Sep 05 18:08:01.136633 rule 39/(match) pass in on vlan108: 192.0.2.150.49157 > > 198.51.100.158.69: 47 RRQ "MainIp5340e.bin" > Sep 05 18:08:01.136661 rule 39/(match) pass out on em2: 192.0.2.150.49157 > > 198.51.100.158.69: 47 RRQ "MainIp5340e.bin" > Sep 05 18:08:25.607885 rule 11/(match) block in on vlan108: 192.0.2.150.6998 > > 198.51.100.158.6801: R 16764161:16764161(0) ack 209207857 win 4224 [tos > 0x60] > Sep 05 18:08:27.919688 rule 11/(match) block in on vlan108: 192.0.2.150.6978 > > 198.51.100.158.6802: R 17473283:17473283(0) ack 3296254713 win 4224 [tos > 0x60] > Sep 05 18:08:32.594889 rule 11/(match) block in on vlan108: 192.0.2.150.6930 > > 198.51.100.158.6800: R 18671363:18671363(0) ack 3527351279 win 4224 [tos > 0x60] > > Here are the rules concerned: > @11 block drop log all > @39 pass log quick inet from 192.0.2.150 to 198.51.100.158 flags S/SA
I think it is caused by the packets blocked having the RST flag set -- a consequence of specifying "flags S/SA" in rule @39. Check out man pf.conf. Look for section about "flags a/b | any" (line 317 here).
