Re: NPF is blocking some of the outgoing traffic

To: netbsd-users%netbsd.org@localhost
Subject: Re: NPF is blocking some of the outgoing traffic
From: mlelstv%serpens.de@localhost (Michael van Elst)
Date: Sun, 23 Nov 2025 12:21:25 -0000 (UTC)

cryintothebluesky%gmail.com@localhost (Sad Clouds) writes:

>Hi, I'm trying to understand why NPF is blocking some of the outgoing
>traffic. I'm filtering on axen0 interface, which is connected directly
>to the Internet router.

>NPF log tells me some outgoing traffic is getting blocked:

># tcpdump -tttt -enr /var/log/npflog0.pcap
>2025-11-23 10:11:19.767533 rule 10.rules.0/0(match): block out on axen0: 10.0.0.2.58650 > 142.251.168.188.5228: Flags [.], ack 3910863993, win 501, options [nop,nop,TS val 1445442954 ecr 1238116412], length 0

>However I have a stateful NPF rule, which should permit all such
>traffic. Any ideas?

A stateful rule is a bit more complex, it works on the idea of a
"connection" that starts at some point and ends at some point.

For TCP, this means, NFP is tracking the TCP protocol. It starts
with the SYN packet and ends with e.g. a FIN/ACK or RST packet.

The ACK could belong to a connection that hasn't been tracked
(i.e. started before the rule was active), it could be a
resent packet after a connection is closed, or just a resent
packet that is outside the current TCP window.

References:
- NPF is blocking some of the outgoing traffic
  - From: Sad Clouds

Prev by Date: NPF is blocking some of the outgoing traffic
Previous by Thread: NPF is blocking some of the outgoing traffic
Indexes:

Home | Main Index | Thread Index | Old Index