On Wed, Aug 20, 2003 at 04:30:16PM +0400, Alexei G. Malinin wrote:

> as I mentioned above I removed the rule "scrub in all"
> I checked /var/log/pflog - there were no "protocol unreachable replies" :-(

You should now have 'log' on all block rules. If pf is blocking the
probes, you should see the probes (not the icmp replies) logged in
/var/log/pflog. If you don't, the block rules are not effective (or
logging is not properly set up).

If you see the probes logged in /var/log/pflog, compare the matching
rule number with pfctl -gvvsr output (the initial "@nr" part is the rule
number). Does the rule blocking the probes really have 'return-icmp'?

If so, pf may be attempting to send a reply, but fails due to lacking
routing table entries. You're not running a bridge, are you?

BTW, you can follow-up to pf@benzedrine.cx, I think we're cluttering
tech@, not sure this is still on-topic here.

Daniel