On Thu, Dec 14, 2006 at 01:11:11PM +0100, Axel Rau wrote: > I'm still hunting loose state matches. > After converting all none-protocol-specific "keep state" to either > flags S/SAFR keep state > or > flags S/SAFR synproxy state > , I'm still getting lots of warning like this one: > > --------------------------------------------------------------------- > Dec 14 11:16:47 pf: loose state match: TCP \ > aaa.bbb.ccc.ddd:25 aaa.bbb.ccc.ddd:25 66.35.250.225:53336 \ > [lo=3396551343 high=3396616878 win=5840 modulator=874376751] \ > [lo=3752913744 high=3752919543 win=65535 modulator=3189448930] \ > 9:9 R seq=3396551343 ack=3752913744 len=0 ackskew=0 pkts=8:10
For RSTs, the sequence number in the packet must match a value precisely, I suspect this is not the case here. Unfortunately, what is logged is not the actual sequence number of the packet. Try to capture one such connection with tcpdump -nvvvS, from initial SYN to the blocked RST, only consisting of packets that match this connection. I suspect the sender of the RST is incrementing the sequence number in the RST inappropriately, or such. Hard to tell without a trace. Daniel