I've just noticed that in 3.4 the RST generated by a block in return-rst
rule is being blocked on the way out by a catch all block out rule,
eg.,
block return-rst in quick on $ext_if proto tcp \
from any to $reachable_addrs port = ident
block out log quick on $br_ext_if all <-- RST blocked here
[nb. ext_if is a member of a bridge, and all of the reachable_addrs
belong to other hosts.]
As a workaround I've added an explict pass out rule,
pass out quick on $ext_if proto tcp \
from $reachable_addrs port = ident flags R/R
But this doesn't feel like it should be necessary ... shouldn't pf
create a transient state for the outbound RST? Unless I missed it
previously, it's also a change in behaviour from 3.3.
Bug or new feature?
Cheers,
Miles
