Dear list, I'm running a firewall using pf under NetBSD 4.0.1. I've experienced a weird problem with appear to be due to the outgoing rule:
% pass out quick all keep state I first noticed it when I ran "nmap -sS" (uses raw sockets) and got: % yoda# nmap -sS AAA.BBB.CCC.DDD % Starting Nmap 4.65 ( http://nmap.org ) at 2009-03-12 08:00 CET % sendto in send_ip_packet: sendto(4, packet, 44, 0, AAA.BBB.CCC.DDD, 16) => No route to host % Offending packet: TCP WWW.XXX.YYY.ZZZ:57973 > AAA.BBB.CCC.ZZZ:80 S ttl=39 id=39289 iplen=11264 seq=3869808471 win=4096 <mss 1460> However, I can make nmap run flawlessly when I remove the "keep state" statement: % pass out quick all Do you have an idea about the problem? Note that pf on NetBSD 4.0.1 doesn't implicitely enable "flags S/SA" as in later version of OpenBSD. As a side remark, without "keep state", I can still create connections from the firewall itself and even from other nat'ed computers. How can I explain this? For other computers, the states are not matched by against interface or direction, are they? This could be an explanation. But what about the packets generated locally? Thank you very much. Best regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org >
