PF Help understanding the PF statistics

abbec

abbec

I have a rule pass out quick which presumably allows all outgoing traffic. However when I look at the output of pfctl -si I get this:

Code: 
Interface Stats for em0               IPv4             IPv6
  Bytes In                          140634          4896420
  Bytes Out                        2274296            60214
  Packets In
    Passed                            1731              808
    Blocked                            420                0
  Packets Out
    Passed                               0                0
    Blocked                           1133                0

Note the 1133 packets out blocked in the IPv4 column. It also seems to increase when doing a ping for example.

What am I missing? I thought the above rule was supposed to pass all traffic? And why is passed 0?

FWIW, everything seems to work as it should otherwise.
 
You're probably going to want to post all your rules. Why? pf is "last match wins" so if you have pass out quick at the top of the ruleset and have other rules after it, then the pass out quick may not match.
 
But fwiw this is the output of pfctl -s rules:
Code: 
block drop in all
pass in quick proto tcp from any to any port = 2223 flags S/SA keep state
pass in quick inet6 proto ipv6-icmp all icmp6-type echoreq keep state
pass in quick inet proto icmp all icmp-type echoreq keep state
pass in quick inet6 proto ipv6-icmp from any to (em0) icmp6-type neighbrsol no state
pass in quick inet6 proto ipv6-icmp from any to (em0) icmp6-type neighbradv no state
pass in quick inet6 proto ipv6-icmp from any to ff02::1:ff00:0/104 icmp6-type neighbrsol no state
pass in quick inet6 proto ipv6-icmp from any to ff02::1:ff00:0/104 icmp6-type neighbradv no state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::1 icmp6-type routeradv no state
pass quick inet6 proto ipv6-icmp from :: to ff02::1:ff00:0/104 icmp6-type neighbrsol no state
pass out all flags S/SA keep state
 
pf.conf(5)
Code: 
quick
   If a packet matches a rule which has the quick option set, this
   rule is considered the last matching rule, and evaluation of
   subsequent rules is skipped.
 
Yeah, I dropped "quick" from the rule in question since it is the last one anyway.
 
You must log in or register to reply here.
Back
Top