[email protected] (Sad Clouds) writes: >Hi, I'm trying to understand why NPF is blocking some of the outgoing >traffic. I'm filtering on axen0 interface, which is connected directly >to the Internet router.
>NPF log tells me some outgoing traffic is getting blocked: ># tcpdump -tttt -enr /var/log/npflog0.pcap >2025-11-23 10:11:19.767533 rule 10.rules.0/0(match): block out on axen0: >10.0.0.2.58650 > 142.251.168.188.5228: Flags [.], ack 3910863993, win 501, >options [nop,nop,TS val 1445442954 ecr 1238116412], length 0 >However I have a stateful NPF rule, which should permit all such >traffic. Any ideas? A stateful rule is a bit more complex, it works on the idea of a "connection" that starts at some point and ends at some point. For TCP, this means, NFP is tracking the TCP protocol. It starts with the SYN packet and ends with e.g. a FIN/ACK or RST packet. The ACK could belong to a connection that hasn't been tracked (i.e. started before the rule was active), it could be a resent packet after a connection is closed, or just a resent packet that is outside the current TCP window.
