Re: strange results with pf

On Wed, Aug 20, 2003 at 04:30:16PM +0400, Alexei G. Malinin wrote:

> as I mentioned above I removed the rule "scrub in all"

You should now have 'log' on all block rules. If pf is blocking the probes, you should see the probes (not the icmp replies) logged in /var/log/pflog. If you don't, the block rules are not effective (or logging is not properly set up).

If you see the probes logged in /var/log/pflog, compare the matching rule number with pfctl -gvvsr output (the initial "@nr" part is the rule number). Does the rule blocking the probes really have 'return-icmp'?

If so, pf may be attempting to send a reply, but fails due to lacking routing table entries. You're not running a bridge, are you?

BTW, you can follow-up to pf@benzedrine.cx, I think we're cluttering tech@, not sure this is still on-topic here.

Daniel Received on Wed Aug 20 09:11:35 2003

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related openbsd.org Links advocacy announce bugs ipv6 misc ports ports-changes security-announce smp source-changes tech Request more information about Pantek