On Sun, May 18, 2008 at 3:33 AM, Johan Strm <firstname.lastname@example.org> wrote:
> On May 18, 2008, at 9:19 AM, Matthew Seaman wrote:
>> Johan Strm wrote:
>>> drop all traffic)? A check with pfctl -vsr reveals that the actual rule
>>> inserted is "pass on lo0 inet from 184.108.40.206 to 220.127.116.11 flags
>>> S/SA keep state". Where did that "keep state" come from?
>> 'flags S/SA keep state' is the default now for tcp filter rules -- that
>> was new in 7.0 reflecting the upstream changes made between the 4.0 and
>> releases of OpenBSD. If you want a stateless rule, append 'no state'.
> Thanks! I was actually looking around in the pf.conf manpage but failed to
> find it yesterday, but looking closer today I now saw it.
> Applied the no state (and quick) to the rule, and now no state is created.
> And the problem I had in the first place seems to have been resolved too
> now, even though it didn't look like a state problem.. (started to deny new
> connections much earlier than the states was full, altough maybee i wasnt
> looking for updates fast enough or something).
I'd be willing to bet it's because you're reusing the source port on a
new connection before the old state expires.
You'll know if you check the state-mismatch counter.
Anyway, glad you found a resolution.