On Sun, Nov 09, 2003 at 05:13:23PM +0000, Miles Sabin wrote: > Options returning packets have no effect if pf(4) operates on a > bridge(4). > > which leaves me even more puzzled. The block rule is on a bridge > interface, yet the RST is being returned (definitely by the bridge > itself, not one of the hosts behind it). > > Can anyone shed any light on this?
return-rst/-icmp require a bridge to have IP addresses assigned and routing table entries added. Basically, you must be able to ping the destination of the RST packet from userland, i.e. have a suitable source address and (default) route to the destination. Hence, on a 'pure' bridge (with no IP addresses assigned, where the firewall's TCP/IP stack is isolated from IP networking, forwarding only frames on ethernet level), return-rst/-icmp doesn't work (the generated packets are dropped due to lacking routes). Show us the tcpdump -n -e -ttt -i pflog0 output that makes you believe your ruleset is blocking pf generated RSTs. Daniel
