Associated NAT rules for TCP missing flags
TCP rules are supposed to get "flags S/SA" by default but for some reason associated filter rules for TCP port forwards do not.
Easy to reproduce, make a port forward for a TCP port with an associated rule and check /tmp/rules.debug - no flags.
Make a normal firewall rule for a TCP port, and it gets flags.
#1 Updated by Jim Pingle about 4 years ago
- Status changed from New to Feedback
Mostly mitigated by c3f01709d6d932f9f49f771ecd5f2652af05d5fe and the fact that pf apparently assumes flags S/SA when they're not specified.
Not sure why it was failing the test fixed in that commit, someone may want to test setting other advanced options on those rules and see if any of them actually work. (the ones that make sense to work anyhow)