[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: strange results with pf

To: "Alexei G. Malinin" <mag@ecom-it.ru>
Subject: Re: strange results with pf
From: Daniel Hartmeier <daniel@benzedrine.cx>
Date: Wed, 20 Aug 2003 12:11:11 +0200
Cc: tech@openbsd.org
Content-Disposition: inline
References: <200308200838.h7K8cGtj002138@mx.ecom-it.ru> <1061370838.352.2.camel@Active2> <200308200930.h7K9Uotj015728@mx.ecom-it.ru> <20030820094145.GA7790@insomnia.benzedrine.cx> <200308200957.h7K9vntj023375@mx.ecom-it.ru>
User-Agent: Mutt/1.4.1i

On Wed, Aug 20, 2003 at 01:57:37PM +0400, Alexei G. Malinin wrote:

> I scanned from separate host.

Then make sure the nmap probes actually get sent by that host (if that
host is also running a packet filter, that's not a safe assumption),
tcpdump on its external interface.

Then tcpdump on the pf box' external interface, do you see the probes
arrive? If so, do you see any replies sent by the pf box? If not (and
only in this case) you can start to debug the ruleset.

Add 'log' to all block and scrub rules. Scrubbing comes first, if the
scrubber drops an incoming probe (due to invalid xmas flags), it will
just drop the packet, and your 'block return-icmp' rule is irrelevant.

Make sure pflogd is running and check /var/log/pflog.

Daniel

Follow-Ups:
- Re: strange results with pf
  - From: "Alexei G. Malinin" <mag@ecom-it.ru>

References:
- strange results with pf
  - From: "Alexei G. Malinin" <mag@ecom-it.ru>
- Re: strange results with pf
  - From: Matthijs Mohlmann <matthijs@active2.homelinux.org>
- Re: strange results with pf
  - From: "Alexei G. Malinin" <mag@ecom-it.ru>
- Re: strange results with pf
  - From: Daniel Hartmeier <daniel@benzedrine.cx>
- Re: strange results with pf
  - From: "Alexei G. Malinin" <mag@ecom-it.ru>

Prev by Date: Re: strange results with pf
Next by Date: Re: strange results with pf
Prev by thread: Re: strange results with pf
Next by thread: Re: strange results with pf
Index(es):
- Date
- Thread