[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: PF failing to block?

To: Daniel Hartmeier <daniel@benzedrine.cx>
Subject: Re: PF failing to block?
From: Blair Heiserman <bheiserm@primexus.com>
Date: Mon, 18 Feb 2002 17:08:44 -0500
Cc: misc@openbsd.org
References: <5.1.0.14.0.20020218150552.00a9a778@golem.primexus.com> <5.1.0.14.0.20020218150552.00a9a778@golem.primexus.com>
My bad.

Here is a dump of the relevant information. I've captured the info and the 
ruleset that are causing the problem. Any thoughts as to why?

-blair

PS Note that these are the only relevant rules. The 12.87.132.204 address 
is a AT&T dialup that I'm using to test this. It has no special access to 
our network.

---------------------------------------------------------------
Offending rules

@5 block return-icmp in log on fxp0 proto udp all
@15 block return-rst in log on fxp0 proto tcp all flags S/SA
@53 pass out quick on fxp0 proto tcp all keep state
@55 pass out quick on fxp0 proto icmp all keep state

Log file
Feb 18 11:51:30.658275 rule 15/0(match): block in on fxp0: 
12.87.132.204.2438 > *.*.*.77.80: S 1246986737:1246986737(0) win 8760 <mss 
1460,nop,nop,sackOK> (DF)
Feb 18 11:51:30.658947 rule 53/0(match): pass out on fxp0: *.*.*.77.80 > 
12.87.132.204.2438: R 0:0(0) ack 1246986738 win 0
Feb 18 11:51:36.421861 rule 15/0(match): block in on fxp0: 
12.87.132.204.2439 > *.*.*.77.80: S 1248483951:1248483951(0) win 8760 <mss 
1460,nop,nop,sackOK> (DF)
Feb 18 11:51:36.422508 rule 53/0(match): pass out on fxp0: *.*.*.77.80 > 
12.87.132.204.2439: R 0:0(0) ack 1248483952 win 0
Feb 18 11:51:55.508998 rule 15/0(match): block in on fxp0: 
12.87.132.204.2441 > *.*.*.70.21: S 1253269040:1253269040(0) win 8760 <mss 
1460,nop,nop,sackOK> (DF)
Feb 18 11:51:55.509632 rule 53/0(match): pass out on fxp0: *.*.*.70.21 > 
12.87.132.204.2441: R 0:0(0) ack 1253269041 win 0
Feb 18 11:51:56.717543 rule 15/0(match): block in on fxp0: 
12.87.132.204.2442 > *.*.*.70.21: S 1253621271:1253621271(0) win 8760 <mss 
1460,nop,nop,sackOK> (DF)
Feb 18 11:51:56.718159 rule 53/0(match): pass out on fxp0: *.*.*.70.21 > 
12.87.132.204.2442: R 0:0(0) ack 1253621272 win 0
Feb 18 11:52:02.458626 rule 54/0(match): pass out on fxp0: *.*.*.67.53 > 
12.127.16.69.53:  30463+[|domain]
Feb 18 11:52:05.912510 rule 15/0(match): block in on fxp0: 
12.87.132.204.2443 > *.*.*.70.21: S 1255971961:1255971961(0) win 8760 <mss 
1460,nop,nop,sackOK> (DF)
Feb 18 11:52:05.913199 rule 53/0(match): pass out on fxp0: *.*.*.70.21 > 
12.87.132.204.2443: R 0:0(0) ack 1255971962 win 0
Feb 18 11:52:14.727562 rule 15/0(match): block in on fxp0: 
12.87.132.204.2444 > *.*.*.85.80: S 1258204811:1258204811(0) win 8760 <mss 
1460,nop,nop,sackOK> (DF)
Feb 18 11:52:14.728197 rule 53/0(match): pass out on fxp0: *.*.*.85.80 > 
12.87.132.204.2444: R 0:0(0) ack 1258204812 win 0
Feb 18 11:52:16.553185 rule 15/0(match): block in on fxp0: 
12.87.132.204.2445 > *.*.*.85.80: S 1258706013:1258706013(0) win 8760 <mss 
1460,nop,nop,sackOK> (DF)
Feb 18 11:52:16.553804 rule 53/0(match): pass out on fxp0: *.*.*.85.80 > 
12.87.132.204.2445: R 0:0(0) ack 1258706014 win 0
Feb 18 11:52:16.564630 rule 15/0(match): block in on fxp0: 
12.87.132.204.2446 > *.*.*.85.80: S 1258751550:1258751550(0) win 8760 <mss 
1460,nop,nop,sackOK> (DF)
Feb 18 11:52:16.565263 rule 53/0(match): pass out on fxp0: *.*.*.85.80 > 
12.87.132.204.2446: R 0:0(0) ack 1258751551 win 0
Feb 18 11:52:16.612478 rule 15/0(match): block in on fxp0: 
12.87.132.204.2447 > *.*.*.85.80: S 1258810821:1258810821(0) win 8760 <mss 
1460,nop,nop,sackOK> (DF)
Feb 18 11:52:16.613089 rule 53/0(match): pass out on fxp0: *.*.*.85.80 > 
12.87.132.204.2447: R 0:0(0) ack 1258810822 win 0
Feb 18 11:52:16.894422 rule 15/0(match): block in on fxp0: 
12.87.132.204.2448 > *.*.*.85.80: S 1258929663:1258929663(0) win 8760 <mss 
1460,nop,nop,sackOK> (DF)
Feb 18 11:52:16.895022 rule 53/0(match): pass out on fxp0: *.*.*.85.80 > 
12.87.132.204.2448: R 0:0(0) ack 1258929664 win 0
Feb 18 11:52:18.135351 rule 15/0(match): block in on fxp0: 
12.87.132.204.2449 > *.*.*.85.80: S 1259278102:1259278102(0) win 8760 <mss 
1460,nop,nop,sackOK> (DF)
Feb 18 11:52:18.135961 rule 53/0(match): pass out on fxp0: *.*.*.85.80 > 
12.87.132.204.2449: R 0:0(0) ack 1259278103 win 0
Feb 18 11:52:18.149275 rule 15/0(match): block in on fxp0: 
12.87.132.204.2450 > *.*.*.85.80: S 1259340043:1259340043(0) win 8760 <mss 
1460,nop,nop,sackOK> (DF)
Feb 18 11:52:18.149877 rule 53/0(match): pass out on fxp0: *.*.*.85.80 > 
12.87.132.204.2450: R 0:0(0) ack 1259340044 win 0
Feb 18 11:52:19.057053 rule 15/0(match): block in on fxp0: 
12.87.132.204.2452 > *.*.*.85.80: S 1259621403:1259621403(0) win 8760 <mss 
1460,nop,nop,sackOK> (DF)
Feb 18 11:52:19.060397 rule 53/0(match): pass out on fxp0: *.*.*.85.80 > 
12.87.132.204.2452: R 0:0(0) ack 1259621404 win 0
Feb 18 11:52:19.081123 rule 15/0(match): block in on fxp0: 
12.87.132.204.2453 > *.*.*.85.80: S 1259711094:1259711094(0) win 8760 <mss 
1460,nop,nop,sackOK> (DF)
Feb 18 11:52:19.081728 rule 53/0(match): pass out on fxp0: *.*.*.85.80 > 
12.87.132.204.2453: R 0:0(0) ack 1259711095 win 0
Feb 18 11:52:19.586433 rule 15/0(match): block in on fxp0: 
12.87.132.204.2454 > *.*.*.85.80: S 1259873476:1259873476(0) win 8760 <mss 
1460,nop,nop,sackOK> (DF)
Feb 18 11:52:19.587038 rule 53/0(match): pass out on fxp0: *.*.*.85.80 > 
12.87.132.204.2454: R 0:0(0) ack 1259873477 win 0
Feb 18 11:52:19.693866 rule 15/0(match): block in on fxp0: 
12.87.132.204.2455 > *.*.*.85.80: S 1259947657:1259947657(0) win 8760 <mss 
1460,nop,nop,sackOK> (DF)
Feb 18 11:52:19.694466 rule 53/0(match): pass out on fxp0: *.*.*.85.80 > 
12.87.132.204.2455: R 0:0(0) ack 1259947658 win 0
Feb 18 11:52:20.605238 rule 15/0(match): block in on fxp0: 
12.87.132.204.2456 > *.*.*.85.80: S 1260217357:1260217357(0) win 8760 <mss 
1460,nop,nop,sackOK> (DF)
Feb 18 11:52:20.605866 rule 53/0(match): pass out on fxp0: *.*.*.85.80 > 
12.87.132.204.2456: R 0:0(0) ack 1260217358 win 0
Feb 18 11:52:20.726490 rule 15/0(match): block in on fxp0: 
12.87.132.204.2457 > *.*.*.85.80: S 1260275523:1260275523(0) win 8760 <mss 
1460,nop,nop,sackOK> (DF)
Feb 18 11:52:20.727097 rule 53/0(match): pass out on fxp0: *.*.*.85.80 > 
12.87.132.204.2457: R 0:0(0) ack 1260275524 win 0
Feb 18 11:52:23.715064 rule 15/0(match): block in on fxp0: 
12.87.132.204.2458 > *.*.*.85.80: S 1261068189:1261068189(0) win 8760 <mss 
1460,nop,nop,sackOK> (DF)
Feb 18 11:52:23.715680 rule 53/0(match): pass out on fxp0: *.*.*.85.80 > 
12.87.132.204.2458: R 0:0(0) ack 1261068190 win 0
Feb 18 11:52:32.742400 rule 15/0(match): block in on fxp0: 
12.87.132.204.2459 > *.*.*.85.80: S 1263370949:1263370949(0) win 8760 <mss 
1460,nop,nop,sackOK> (DF)
Feb 18 11:52:32.743048 rule 53/0(match): pass out on fxp0: *.*.*.85.80 > 
12.87.132.204.2459: R 0:0(0) ack 1263370950 win 0
Feb 18 11:52:35.876685 rule 15/0(match): block in on fxp0: 
12.87.132.204.2460 > *.*.*.85.80: S 1264194541:1264194541(0) win 8760 <mss 
1460,nop,nop,sackOK> (DF)
Feb 18 11:52:35.877324 rule 53/0(match): pass out on fxp0: *.*.*.85.80 > 
12.87.132.204.2460: R 0:0(0) ack 1264194542 win 0
Feb 18 11:52:38.804301 rule 15/0(match): block in on fxp0: 
12.87.132.204.2461 > *.*.*.85.80: S 1265003704:1265003704(0) win 8760 <mss 
1460,nop,nop,sackOK> (DF)
Feb 18 11:52:38.804913 rule 53/0(match): pass out on fxp0: *.*.*.85.80 > 
12.87.132.204.2461: R 0:0(0) ack 1265003705 win 0
Feb 18 11:52:43.606224 rule 15/0(match): block in on fxp0: 
12.87.132.204.2462 > *.*.*.85.80: S 1266243379:1266243379(0) win 8760 <mss 
1460,nop,nop,sackOK> (DF)
Feb 18 11:52:43.606839 rule 53/0(match): pass out on fxp0: *.*.*.85.80 > 
12.87.132.204.2462: R 0:0(0) ack 1266243380 win 0
Feb 18 11:52:48.084855 rule 15/0(match): block in on fxp0: 
12.87.132.204.2463 > *.*.*.85.80: S 1267409735:1267409735(0) win 8760 <mss 
1460,nop,nop,sackOK> (DF)
Feb 18 11:52:48.085465 rule 53/0(match): pass out on fxp0: *.*.*.85.80 > 
12.87.132.204.2463: R 0:0(0) ack 1267409736 win 0
Feb 18 11:52:50.163689 rule 15/0(match): block in on fxp0: 
12.87.132.204.2464 > *.*.*.85.80: S 1267967954:1267967954(0) win 8760 <mss 
1460,nop,nop,sackOK> (DF)
Feb 18 11:52:50.164301 rule 53/0(match): pass out on fxp0: *.*.*.85.80 > 
12.87.132.204.2464: R 0:0(0) ack 1267967955 win 0
Feb 18 11:52:52.279853 rule 15/0(match): block in on fxp0: 
12.87.132.204.2465 > *.*.*.85.80: S 1268552507:1268552507(0) win 8760 <mss 
1460,nop,nop,sackOK> (DF)
Feb 18 11:52:52.280459 rule 53/0(match): pass out on fxp0: *.*.*.85.80 > 
12.87.132.204.2465: R 0:0(0) ack 1268552508 win 0
Feb 18 11:52:52.733376 rule 15/0(match): block in on fxp0: 
12.87.132.204.2466 > *.*.*.72.12345: S 1268706505:1268706505(0) win 8760 
<mss 1460,nop,nop,sackOK> (DF)
Feb 18 11:52:52.733999 rule 53/0(match): pass out on fxp0: *.*.*.72.12345 > 
12.87.132.204.2466: R 0:0(0) ack 1268706506 win 0
Feb 18 11:52:59.391167 rule 15/0(match): block in on fxp0: 
12.87.132.204.2468 > *.*.*.85.80: S 1270415357:1270415357(0) win 8760 <mss 
1460,nop,nop,sackOK> (DF)
Feb 18 11:52:59.391856 rule 53/0(match): pass out on fxp0: *.*.*.85.80 > 
12.87.132.204.2468: R 0:0(0) ack 1270415358 win 0
Feb 18 11:52:59.404611 rule 15/0(match): block in on fxp0: 
12.87.132.204.2469 > *.*.*.72.12345: S 1270465361:1270465361(0) win 8760 
<mss 1460,nop,nop,sackOK> (DF)
Feb 18 11:52:59.405223 rule 53/0(match): pass out on fxp0: *.*.*.72.12345 > 
12.87.132.204.2469: R 0:0(0) ack 1270465362 win 0
Feb 18 11:53:04.442108 rule 15/0(match): block in on fxp0: 
12.87.132.204.2470 > *.*.*.85.80: S 1271759621:1271759621(0) win 8760 <mss 
1460,nop,nop,sackOK> (DF)
Feb 18 11:53:04.442721 rule 53/0(match): pass out on fxp0: *.*.*.85.80 > 
12.87.132.204.2470: R 0:0(0) ack 1271759622 win 0
Feb 18 11:53:16.912700 rule 15/0(match): block in on fxp0: 
12.87.132.204.2471 > *.*.*.70.21: S 1274920114:1274920114(0) win 8760 <mss 
1460,nop,nop,sackOK> (DF)
Feb 18 11:53:16.913379 rule 53/0(match): pass out on fxp0: *.*.*.70.21 > 
12.87.132.204.2471: R 0:0(0) ack 1274920115 win 0
Feb 18 11:53:24.687125 rule 15/0(match): block in on fxp0: 
12.87.132.204.2472 > *.*.*.85.80: S 1276908483:1276908483(0) win 8760 <mss 
1460,nop,nop,sackOK> (DF)
Feb 18 11:53:24.687740 rule 53/0(match): pass out on fxp0: *.*.*.85.80 > 
12.87.132.204.2472: R 0:0(0) ack 1276908484 win 0
Feb 18 11:53:31.735243 rule 15/0(match): block in on fxp0: 
12.87.132.204.2473 > *.*.*.70.80: S 1278697204:1278697204(0) win 8760 <mss 
1460,nop,nop,sackOK> (DF)
Feb 18 11:53:31.735878 rule 53/0(match): pass out on fxp0: *.*.*.70.80 > 
12.87.132.204.2473: R 0:0(0) ack 1278697205 win 0
Feb 18 11:53:36.282817 rule 15/0(match): block in on fxp0: 
12.87.132.204.2474 > *.*.*.85.80: S 1279890029:1279890029(0) win 8760 <mss 
1460,nop,nop,sackOK> (DF)
Feb 18 11:53:36.283432 rule 53/0(match): pass out on fxp0: *.*.*.85.80 > 
12.87.132.204.2474: R 0:0(0) ack 1279890030 win 0
Feb 18 11:53:43.446311 rule 15/0(match): block in on fxp0: 
12.87.132.204.2475 > *.*.*.85.80: S 1281726668:1281726668(0) win 8760 <mss 
1460,nop,nop,sackOK> (DF)
Feb 18 11:53:43.446943 rule 53/0(match): pass out on fxp0: *.*.*.85.80 > 
12.87.132.204.2475: R 0:0(0) ack 1281726669 win 0
Feb 18 11:53:46.487642 rule 15/0(match): block in on fxp0: 
12.87.132.204.2476 > *.*.*.85.80: S 1282535112:1282535112(0) win 8760 <mss 
1460,nop,nop,sackOK> (DF)
Feb 18 11:53:46.488260 rule 53/0(match): pass out on fxp0: *.*.*.85.80 > 
12.87.132.204.2476: R 0:0(0) ack 1282535113 win 0
Feb 18 11:53:48.873936 rule 15/0(match): block in on fxp0: 
12.87.132.204.2480 > *.*.*.85.80: S 1283199963:1283199963(0) win 8760 <mss 
1460,nop,nop,sackOK> (DF)
Feb 18 11:53:48.874554 rule 53/0(match): pass out on fxp0: *.*.*.85.80 > 
12.87.132.204.2480: R 0:0(0) ack 1283199964 win 0
Feb 18 11:53:51.634201 rule 15/0(match): block in on fxp0: 
12.87.132.204.2481 > *.*.*.85.80: S 1283920565:1283920565(0) win 8760 <mss 
1460,nop,nop,sackOK> (DF)
Feb 18 11:53:51.634821 rule 53/0(match): pass out on fxp0: *.*.*.85.80 > 
12.87.132.204.2481: R 0:0(0) ack 1283920566 win 0
Feb 18 11:53:51.644101 rule 15/0(match): block in on fxp0: 
12.87.132.204.2482 > *.*.*.85.80: S 1283987694:1283987694(0) win 8760 <mss 
1460,nop,nop,sackOK> (DF)
Feb 18 11:53:51.644703 rule 53/0(match): pass out on fxp0: *.*.*.85.80 > 
12.87.132.204.2482: R 0:0(0) ack 1283987695 win 0
Feb 18 11:53:53.870397 rule 15/0(match): block in on fxp0: 
12.87.132.204.2483 > *.*.*.85.80: S 1284583821:1284583821(0) win 8760 <mss 
1460,nop,nop,sackOK> (DF)
Feb 18 11:53:53.871022 rule 53/0(match): pass out on fxp0: *.*.*.85.80 > 
12.87.132.204.2483: R 0:0(0) ack 1284583822 win 0
Feb 18 11:53:55.458017 rule 15/0(match): block in on fxp0: 
12.87.132.204.2484 > *.*.*.85.80: S 1285031658:1285031658(0) win 8760 <mss 
1460,nop,nop,sackOK> (DF)
Feb 18 11:53:55.458645 rule 53/0(match): pass out on fxp0: *.*.*.85.80 > 
12.87.132.204.2484: R 0:0(0) ack 1285031659 win 0
Feb 18 11:53:58.286169 rule 15/0(match): block in on fxp0: 
12.87.132.204.2485 > *.*.*.85.80: S 1285782358:1285782358(0) win 8760 <mss 
1460,nop,nop,sackOK> (DF)
Feb 18 11:53:58.286795 rule 53/0(match): pass out on fxp0: *.*.*.85.80 > 
12.87.132.204.2485: R 0:0(0) ack 1285782359 win 0
Feb 18 11:54:00.381455 rule 15/0(match): block in on fxp0: 
12.87.132.204.2486 > *.*.*.85.80: S 1286363484:1286363484(0) win 8760 <mss 
1460,nop,nop,sackOK> (DF)
Feb 18 11:54:00.382078 rule 53/0(match): pass out on fxp0: *.*.*.85.80 > 
12.87.132.204.2486: R 0:0(0) ack 1286363485 win 0
Feb 18 11:54:02.488649 rule 15/0(match): block in on fxp0: 
12.87.132.204.2487 > *.*.*.85.80: S 1286935913:1286935913(0) win 8760 <mss 
1460,nop,nop,sackOK> (DF)
Feb 18 11:54:02.489272 rule 53/0(match): pass out on fxp0: *.*.*.85.80 > 
12.87.132.204.2487: R 0:0(0) ack 1286935914 win 0
Feb 18 11:54:04.395103 rule 15/0(match): block in on fxp0: 
12.87.132.204.2488 > *.*.*.85.80: S 1287464719:1287464719(0) win 8760 <mss 
1460,nop,nop,sackOK> (DF)
Feb 18 11:54:04.395744 rule 53/0(match): pass out on fxp0: *.*.*.85.80 > 
12.87.132.204.2488: R 0:0(0) ack 1287464720 win 0
Feb 18 11:54:06.019999 rule 5/0(match): block in on fxp0: 
12.87.132.204.2477 > *.*.*.85.161:  C=internal GetRequest(23) 
.1.3.6.1.4.1.11.2.3[|snmp]
Feb 18 11:54:06.020376 rule 55/0(match): pass out on fxp0: *.*.*.66 > 
12.87.132.204: icmp: *.*.*.85 udp port 161 unreachable
Feb 18 11:54:07.023239 rule 15/0(match): block in on fxp0: 
12.87.132.204.2489 > *.*.*.85.80: S 1288157373:1288157373(0) win 8760 <mss 
1460,nop,nop,sackOK> (DF)
Feb 18 11:54:07.023877 rule 53/0(match): pass out on fxp0: *.*.*.85.80 > 
12.87.132.204.2489: R 0:0(0) ack 1288157374 win 0
Feb 18 11:54:08.010856 rule 5/0(match): block in on fxp0: 
12.87.132.204.1028 > *.*.*.85.161:  GetRequest(25) 
.1.3.6.1.2.1.25.3.2.1.5[|snmp]
Feb 18 11:54:08.011273 rule 55/0(match): pass out on fxp0: *.*.*.66 > 
12.87.132.204: icmp: *.*.*.85 udp port 161 unreachable
Feb 18 11:54:08.620354 rule 5/0(match): block in on fxp0: 
12.87.132.204.2478 > *.*.*.85.161:  C=internal2 GetRequest(22) 
.1.3.6.1.2.1.1.1[|snmp]
Feb 18 11:54:08.620738 rule 55/0(match): pass out on fxp0: *.*.*.66 > 
12.87.132.204: icmp: *.*.*.85 udp port 161 unreachable
Feb 18 11:54:08.666355 rule 5/0(match): block in on fxp0: 
12.87.132.204.2479 > *.*.*.85.161:  C=internal3 GetRequest(22) 
.1.3.6.1.2.1.1.1[|snmp]
Feb 18 11:54:08.666693 rule 55/0(match): pass out on fxp0: *.*.*.66 > 
12.87.132.204: icmp: *.*.*.85 udp port 161 unreachable
Feb 18 11:54:14.273259 rule 5/0(match): block in on fxp0: 
12.87.132.204.1028 > *.*.*.85.161:  GetRequest(25) 
.1.3.6.1.2.1.25.3.2.1.5[|snmp]
Feb 18 11:54:14.273696 rule 55/0(match): pass out on fxp0: *.*.*.66 > 
12.87.132.204: icmp: *.*.*.85 udp port 161 unreachable
Feb 18 11:54:21.270933 rule 5/0(match): block in on fxp0: 
12.87.132.204.1028 > *.*.*.85.161:  GetRequest(25) 
.1.3.6.1.2.1.25.3.2.1.5[|snmp]
Feb 18 11:54:21.271356 rule 55/0(match): pass out on fxp0: *.*.*.66 > 
12.87.132.204: icmp: *.*.*.85 udp port 161 unreachable
Feb 18 11:54:27.279073 rule 5/0(match): block in on fxp0: 
12.87.132.204.1028 > *.*.*.85.161:  GetRequest(25) 
.1.3.6.1.2.1.25.3.2.1.5[|snmp]
Feb 18 11:54:27.279485 rule 55/0(match): pass out on fxp0: *.*.*.66 > 
12.87.132.204: icmp: *.*.*.85 udp port 161 unreachable
Feb 18 11:54:33.182201 rule 15/0(match): block in on fxp0: 
12.87.132.204.2491 > *.*.*.67.110: S 1294735275:1294735275(0) win 8760 <mss 
1460,nop,nop,sackOK> (DF)
Feb 18 11:54:33.183027 rule 53/0(match): pass out on fxp0: *.*.*.67.110 > 
12.87.132.204.2491: R 0:0(0) ack 1294735276 win 0


At 10:35 PM 2/18/2002 +0100, Daniel Hartmeier wrote:
>On Mon, Feb 18, 2002 at 03:15:52PM -0500, Blair Heiserman wrote:
>
> > I'm having some serious problems with PF. It doesn't seem to be filtering
> > everything appropriately. Specifically it seems to let browsers get 
> through
> > to any port. I've been able to access addresses other then my web server,
> > and on non-conventional ports. When I try this with command-line 
> utilities,
> > I am typically blocked. But browsers seem to get through. This is 
> obviously
> > a big security problem. I have included most of my pf configuration file,
> > and a piece of the pflog which at least theoretically shows it being
> > blocked. However it still gets through despite what the pflog shows. I was
> > hoping that someone can point out a flaw in my config file.
>
>You didn't quote a tcpdump of a packet that's supposed to be blocked but
>was passed. I suggest you add 'log' to all of your rules and reproduce
>the behavior. Then check the log for the packets that you don't expect
>to be passed and see which rule is responsible. Without the full rule
>set, and without a captured packet, it's hard to tell where the problem
>is (could be one of the macros whose definition you didn't quote, for
>instance).
>
>Daniel
Follow-Ups:
- Re: PF failing to block?
  - From: Daniel Hartmeier <daniel@benzedrine.cx>
- Re: PF failing to block?
  - From: Daniel Hartmeier <daniel@benzedrine.cx>
References:
- PF failing to block?
  - From: Blair Heiserman <bheiserm@primexus.com>
- Re: PF failing to block?
  - From: Daniel Hartmeier <daniel@benzedrine.cx>
Prev by Date: Re: issue with pf and dhcp
Next by Date: Re: Command Line.....
Prev by thread: Re: PF failing to block?
Next by thread: Re: PF failing to block?
Index(es):
- Date
- Thread