[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: PF failing to block?
On Mon, Feb 18, 2002 at 05:08:44PM -0500, Blair Heiserman wrote:
> @5 block return-icmp in log on fxp0 proto udp all
> @15 block return-rst in log on fxp0 proto tcp all flags S/SA
> @53 pass out quick on fxp0 proto tcp all keep state
> @55 pass out quick on fxp0 proto icmp all keep state
>
> Feb 18 11:51:30.658275 rule 15/0(match): block in on fxp0:
> 12.87.132.204.2438 > *.*.*.77.80: S 1246986737:1246986737(0) win 8760 <mss
> 1460,nop,nop,sackOK> (DF)
> Feb 18 11:51:30.658947 rule 53/0(match): pass out on fxp0: *.*.*.77.80 >
> 12.87.132.204.2438: R 0:0(0) ack 1246986738 win 0
So, an external machine is trying to connect to your web server. The TCP
SYN packet is blocked by rule 15, and pf sends a TCP RST back. Nothing
unexpected here.
> Feb 18 11:51:55.508998 rule 15/0(match): block in on fxp0:
> 12.87.132.204.2441 > *.*.*.70.21: S 1253269040:1253269040(0) win 8760 <mss
> 1460,nop,nop,sackOK> (DF)
> Feb 18 11:51:55.509632 rule 53/0(match): pass out on fxp0: *.*.*.70.21 >
> 12.87.132.204.2441: R 0:0(0) ack 1253269041 win 0
Same here, with ftp.
I fail to see where an external host sends a packet to the firewall that
isn't blocked. Can you quote one specific case where a packet that you
expect to be blocked is passed? Can you supply a tcpdump of the internal
interface (not pflog0) that shows such a packet having passed the
filter?
Daniel