[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PF failing to block?

To: Blair Heiserman <bheiserm@primexus.com>
Subject: Re: PF failing to block?
From: Daniel Hartmeier <daniel@benzedrine.cx>
Date: Tue, 19 Feb 2002 00:31:30 +0100
Cc: misc@openbsd.org
Content-Disposition: inline
References: <5.1.0.14.0.20020218150552.00a9a778@golem.primexus.com> <5.1.0.14.0.20020218150552.00a9a778@golem.primexus.com> <20020218223552.A78@insomnia.benzedrine.cx> <5.1.0.14.0.20020218170540.03afe398@golem.primexus.com>
User-Agent: Mutt/1.2.5.1i

On Mon, Feb 18, 2002 at 05:08:44PM -0500, Blair Heiserman wrote:

> Feb 18 11:51:30.658275 rule 15/0(match): block in on fxp0: 
> 12.87.132.204.2438 > *.*.*.77.80: S 1246986737:1246986737(0) win 8760 <mss 
> 1460,nop,nop,sackOK> (DF)
> Feb 18 11:51:30.658947 rule 53/0(match): pass out on fxp0: *.*.*.77.80 > 
> 12.87.132.204.2438: R 0:0(0) ack 1246986738 win 0

Oh, is that TCP RST actually sent by .77?

Your 'block ... proto tcp ... flags S/SA' rule is a little odd. It does
only block TCP packets with SYN set and ACK unset. Other TCP packets can
get through, and the answers of the internal host that get out then
create state.

Usually, you'd use 'flags S/SA' on the pass rule that creates state, and
don't specify flags in general block rules. Try without specifying
flags, unless you know what you want there.

Daniel

Follow-Ups:
- Re: PF failing to block?
  - From: Blair Heiserman <bheiserm@primexus.com>

References:
- PF failing to block?
  - From: Blair Heiserman <bheiserm@primexus.com>
- Re: PF failing to block?
  - From: Daniel Hartmeier <daniel@benzedrine.cx>
- Re: PF failing to block?
  - From: Blair Heiserman <bheiserm@primexus.com>

Prev by Date: Re: How to write..
Next by Date: [VPN] IPSEC traffic going out, and back, but still not quite there
Prev by thread: Re: PF failing to block?
Next by thread: Re: PF failing to block?
Index(es):
- Date
- Thread