I have a new box runing a fresh install of OpenBSD 4.3 and openvpn-2.0.9p1 (installed from port). My problem is with pf dropping stateful respone traffic. The SYN enters the tun0 interface and is forwarded to vic0. The response traffic enters vic0 and is dropped.
pf.conf: nat on vic1 from vic0:network to any -> vic1 block in log pass in quick log Rules: # pfctl -sr block drop in log all pass in log quick all flags S/SA keep state States: # pfctl -vvvss | grep -A3 192.168.x.x:3389 all tcp 192.168.x.x:3389 <- 10.x.x.x:2306 CLOSED:SYN_SENT [0 + 64512] [2084508194 + 1] age 00:00:08, expires in 00:00:24, 2:0 pkts, 96:0 bytes, rule 1 id: 9243e148d3f80100 creatorid: b65f4e16 tcpdump: # tcpdump -ni vic0 port 3389 tcpdump: listening on vic0, link-type EN10MB 13:56:24.849664 10.x.x.x.2306 > 192.168.x.x.3389: S 933295692:933295692(0) win 64512 <mss 1260,nop,nop,sackOK> 13:56:24.849949 192.168.x.x.3389 > 10.x.x.x.2306: S 2040098613:2040098613(0) ack 933295693 win 65535 <mss 1260,nop,nop,sackOK> 13:56:27.757160 192.168.x.x.3389 > 10.x.x.x.2306: S 2040098613:2040098613(0) ack 933295693 win 65535 <mss 1260,nop,nop,sackOK> 13:56:27.807551 10.x.x.x.2306 > 192.168.x.x.3389: S 933295692:933295692(0) win 64512 <mss 1260,nop,nop,sackOK> 13:56:27.807823 192.168.x.x.3389 > 10.x.x.x.2306: . ack 1 win 65535 13:56:33.741772 10.x.x.x.2306 > 192.168.x.x.3389: S 933295692:933295692(0) win 64512 <mss 1260,nop,nop,sackOK> 13:56:33.742066 192.168.x.x.3389 > 10.x.x.x.2306: . ack 1 win 65535 13:56:33.772694 192.168.x.x.3389 > 10.x.x.x.2306: S 2040098613:2040098613(0) ack 933295693 win 65535 <mss 1260,nop,nop,sackOK> pflog: rule 1/(match) pass in on tun0: 10.x.x.x.2306 > 192.168.x.x.3389: [|tcp] (DF) rule 0/(match) block in on vic0: 192.168.x.x.3389 > 10.x.x.x.2306: [|tcp] (DF) rule 0/(match) block in on vic0: 192.168.x.x.3389 > 10.x.x.x.2306: [|tcp] (DF) rule 0/(match) block in on vic0: 192.168.x.x.3389 > 10.x.x.x.2306: [|tcp] (DF) rule 0/(match) block in on vic0: 192.168.x.x.3389 > 10.x.x.x.2306: [|tcp] (DF) rule 0/(match) block in on vic0: 192.168.x.x.3389 > 10.x.x.x.2306: [|tcp] (DF) As far as I can tell, the problem only occurs on traffic entering tun0. Traffic entering vic0 (and leaving either vic1 or tun0) works just fine. -- View this message in context: http://www.nabble.com/pf---stateful-respone-being-dropped-tp19865242p19865242.html Sent from the openbsd user - misc mailing list archive at Nabble.com.
