Hi
I have had this rule for some time without issues. But since the upgrade from
OpenBSD 6.0 to 6.1 yesterday I have had issues. Today when I sniffed incoming
traffic on port 80 on my FW internet interface, the firewall did no longer
send it out on my dmz1 to the web server. After removing “modulate state” that
I have had for a while without issues it started to work again. So… After
changing...
pass in log quick on $INTERNET_INT inet proto tcp from any to $DMZ1_DAEDALUS
port { 80 443 } label "webstats:$dstport" flags S/SAFR modulate state
(max-src-nodes 90, max-src-states 150, max-src-conn 150, max-src-conn-rate
250/30, overload <bad_hosts> flush global)
to
pass in log quick on $INTERNET_INT inet proto tcp from any to $DMZ1_DAEDALUS
port { 80 443 } label "webstats:$dstport" flags S/SAFR keep state
(max-src-nodes 90, max-src-states 150, max-src-conn 150, max-src-conn-rate
250/30, overload <bad_hosts> flush global)
it now works again
If someone can answer, Please enlighten me why this happens now and not before
the upgrade.
Regards
Peo
