On Wed, Mar 28, 2018 at 12:43:59PM +0100, Patrick Welche wrote: > On a toy -current/amd64 system with internal wm0 and external wm1: > > # npfctl show > # filtering: active > # config: loaded > > procedure "log" > > group "ext" on wm1 # id="1" > pass in final family inet6 proto ipv6-icmp # id="2" > pass out final family inet6 proto ipv6-icmp # id="3" > pass in final family inet4 proto icmp # id="4" > pass stateful in final family inet4 proto tcp flags S/SA to > 192.168.25.65 port 80 apply "log" # id="5" > block all # id="6" > > group "int" on wm0 # id="7" > pass all # id="8" > > group # id="9" > pass final on lo0 all # id="a" > block all # id="b" > > > If I > > telnet 192.168.25.65 80 > > I see the connection into ext_if with flag S, but nothing is returned. > Shouldn't the "stateful"ness allow a reply? (Connecting via int_if > works, so the httpd is happy.)
Logging on ext's block all, shows packets subsquent to the S/SA with Flags [.] or Flags [P.] being blocked. i.e., logging rules 5 and 6, we see on npflog0: 1st packet: rule 5.rules.0/0(match): pass in on wm1 ..>..65.80 Flags [S] 2nd packet: rule 6.rules.0/0(match): block in on wm1 ..>..65.80 Flags [.] so what happened to the state? Cheers, Patrick
