Bug #389

modulate state

Added by bastyaelvtars almost 10 years ago. Updated over 3 years ago.

Status:FeedbackStart date:
Priority:NormalDue date:
Assignee:-% Done:


Target version:-


If I create a rule:
pass out quick on $iface proto tcp from any to any flags S/SA modulate state
the connections don't initiate. Replacing 'flags S/SA modulate state' to
'keep state' salvages this.


#1 Updated by bastyaelvtars almost 10 years ago

Update: some web pages just don't load, clients behind the firewall
cannot even connect to those particular servers (www.iwiw.hu for
example). Tcpdump shows nothing, when we disable pf, they load.

#2 Updated by bastyaelvtars almost 10 years ago

Behind my other bridge, the aforementioned page loads. I recall reports
on similar behaviour with OpenBSD 3.6, we did not have this with OpenBSD
3.7 and 3.8. I think the only salwage for this will be a PF update in
the base system, until then, I'll redirect the requests targeting this
(popular) website to an HTTP proxy.

#3 Updated by bastyaelvtars about 9 years ago

The non-loadinbg web page issue seems to be fixed by Matt's commit:
However, the 'modulate state' thing still does not work.

#4 Updated by tuxillo over 3 years ago

  • Description updated (diff)
  • Status changed from New to Feedback
  • Assignee deleted (0)


pf(4) was updated long after this bug ticket was opened. Can you please check it out in current master/release?

Antonio Huete

Also available in: Atom PDF