I have not done more than skim your config, but you might try
temporarily disabling your "block <foo_brutes>" rules and see
if that makes a difference in case your nmap scan is triggering
whatever it is that populates the brutes tables.
It's not the problem Karl.
I've done a lot of tests from $nagios box like this:
$ i=0; [ while i -lt 25 ]; done \
nmap -p 143 <imap_server_behind_pf> | grep tcp | awk '{print $2}' ; \
sleep 2; \
done
and the output is, randomly, open or filtered as I've said in the
previous post.
I've tried with a lot of nmap's options (scan types, times policies...
etc) but I get always the same results.
The only pattern I've found is when the nmap resolution is quick, it
shows always 'open', and, when the nmap resolution seems to be slow,
the ouput is 'filtered'.
In PF's side I've tried with:
* no scrub from $nagios
* pass in on $bridge inet proto { tcp, udp, icmp } from $nagios allow-opts
--
Thanks,
Jordi Espasa Clofent
