Quote:
Originally Posted by ocicat
Please provide the following: - The output of:
$ sysctl kern.version
- Please post your complete ruleset.
|
Kernel Version:
Complete Ruleset:
Quote:
ext_if="fxp0"
int_if="vr0"
local_net="172.16.1.0/24"
localhost="127.0.0.1"
www="{80, 443}"
squid_intercept="3129"
tcp="{80,443}"
udp="{53,123}"
set skip on lo
set loginterface pppoe0
set debug err
set block-policy drop
set state-policy if-bound
set reassemble yes
set state-defaults pflow
set optimization aggressive
set timeout interval 2
set timeout frag 7
set timeout {tcp.first 10, tcp.established 18000, tcp.opening 3, tcp.closing 10, tcp.finwait 10, tcp.closed 10,
udp.first 10,udp.single 10,udp.multiple 20,icmp.first 10,icmp.error 5,other.first 20,other.single 18,other.mul
tiple 30}
set limit {states 20000, src-nodes 20000, frags 1000}
match on pppoe0 scrub (reassemble tcp,random-id,no-df,max-mss 1440,min-ttl 64)
match out on pppoe0 inet from !(egress:network) to any nat-to (pppoe:0)
antispoof log for {$ext_if,$int_if}
block drop log
pass out on {pppoe0,$ext_if,$int_if} inet proto tcp modulate state
pass out on {pppoe0,$ext_if,$int_if} inet proto udp keep state
pass out on {pppoe0,$ext_if,$int_if} inet proto icmp all icmp-type echoreq keep state
#No Proxy
#Allow internal lan enter gateway
#pass in log on $int_if inet proto tcp from any to any port $tcp modulate state (max 40,source-track rule,max-s
rc-nodes 40,max-src-states 40,max-src-conn 30,max-src-conn-rate 20/20)
#squid intercept
pass in quick on $int_if proto tcp from $local_net to any port $www divert-to $localhost port $squid_intercept
pass out quick inet from $local_net divert-reply
|
By the way, here is the latest block out tcpdump which shows the destination IP address is belongs to my ISP(1.9.57.44, 1.9.57.157,1.9.57.247)
Quote:
Sep 02 20:51:42.428822 rule 3/(match) block in on pppoe0: 165.254.27.99.80 > 115.133.211.214.18171: S 638590200:638590200(0) ack 1190877752 win 14600 <mss 1460> (DF) [tos 0x8]
Sep 02 20:52:04.811605 rule 3/(match) block in on pppoe0: 162.244.35.24.42657 > 115.133.211.214.21320: S 4249006112:4249006112(0) win 65535
Sep 02 20:53:10.657874 rule 3/(match) block in on pppoe0: 42.99.254.160.80 > 115.133.211.214.18171: S 264356092:264356092(0) ack 1190877752 win 14600 <mss 1460> (DF)
Sep 02 20:54:30.499253 rule 3/(match) block out on pppoe0: 60.48.77.44.0 > 1.9.57.247.443: FP 3485237390:3485237513(123) ack 1019492554 win 2048 <nop,nop,timestamp 2999664311 401604807> (DF)
Sep 02 20:55:07.886939 rule 3/(match) block in on pppoe0: 118.161.247.142.4890 > 60.48.77.44.25: S 693095165:693095165(0) win 65535 <mss 1440,nop,nop,sackOK> (DF)
Sep 02 20:55:10.778957 rule 3/(match) block in on pppoe0: 118.161.247.142.4890 > 60.48.77.44.25: S 693095165:693095165(0) win 65535 <mss 1440,nop,nop,sackOK> (DF)
Sep 02 20:55:14.838638 rule 3/(match) block out on pppoe0: 60.48.77.44.0 > 1.9.22.221.443: FP 3833208431:3833208554(123) ack 187433726 win 2048 <nop,nop,timestamp 1676886394 1225966772>
Sep 02 20:55:16.789695 rule 3/(match) block in on pppoe0: 118.161.247.142.4890 > 60.48.77.44.25: S 693095165:693095165(0) win 65535 <mss 1440,nop,nop,sackOK> (DF)
Sep 02 20:55:34.498240 rule 3/(match) block out on pppoe0: 60.48.77.44.0 > 1.9.57.247.443: FP 0:123(123) ack 1 win 2048 <nop,nop,timestamp 2999664439 401604807>
Sep 02 20:55:35.198254 rule 3/(match) block out on pppoe0: 60.48.77.44.0 > 173.194.120.138.443: FP 2115712045:2115712168(123) ack 2256776203 win 2048 <nop,nop,timestamp 740998892 1791702893> (DF)
Sep 02 20:55:35.198441 rule 3/(match) block out on pppoe0: 60.48.77.44.0 > 1.9.57.157.443: FP 2773787168:2773787291(123) ack 969532157 win 2048 <nop,nop,timestamp 2107601466 3454701885> (DF)
Sep 02 20:55:37.359272 rule 3/(match) block in on pppoe0: 198.46.141.130.37402 > 60.48.77.44.123: [len=8] v2 res2 strat 0 poll 3 prec 42 (DF)
Sep 02 20:55:48.678275 rule 3/(match) block out on pppoe0: 60.48.77.44.0 > 1.9.57.247.443: FP 424208711:424209978(1267) ack 423617941 win 2048 <nop,nop,timestamp 2306166214 4072680920> (DF)
Sep 02 20:55:59.088108 rule 3/(match) block out on pppoe0: 60.48.77.44.0 > 1.9.57.44.80: FP 2781495408:2781495837(429) ack 637133820 win 2048 <nop,nop,timestamp 2500877741 3042542058>
Sep 02 20:55:48.678275 rule 3/(match) block out on pppoe0: 60.48.77.44.0 > 1.9.57.247.443: FP 424208711:424209978(1267) ack 423617941 win 2048 <nop,nop,timestamp 2306166214 4072680920> (DF)
Sep 02 20:55:59.088108 rule 3/(match) block out on pppoe0: 60.48.77.44.0 > 1.9.57.44.80: FP 2781495408:2781495837(429) ack 637133820 win 2048 <nop,nop,timestamp 2500877741 3042542058>
Sep 02 20:56:18.837798 rule 3/(match) block out on pppoe0: 60.48.77.44.0 > 1.9.22.221.443: FP 0:123(123) ack 1 win 2048 <nop,nop,timestamp 1676886522 1225966772> (DF)
Sep 02 20:56:38.497563 rule 3/(match) block out on pppoe0: 60.48.77.44.0 > 1.9.57.247.443: FP 0:123(123) ack 1 win 2048 <nop,nop,timestamp 2999664567 401604807>
Sep 02 20:56:39.197593 rule 3/(match) block out on pppoe0: 60.48.77.44.0 > 173.194.120.138.443: FP 0:123(123) ack 1 win 2048 <nop,nop,timestamp 740999020 1791702893>
Sep 02 20:56:39.198050 rule 3/(match) block out on pppoe0: 60.48.77.44.0 > 1.9.57.157.443: FP 0:123(123) ack 1 win 2048 <nop,nop,timestamp 2107601594 3454701885>
Sep 02 20:56:52.677692 rule 3/(match) block out on pppoe0: 60.48.77.44.0 > 1.9.57.247.443: FP 424208711:424209978(1267) ack 423617941 win 2048 <nop,nop,timestamp 2306166342 4072680920>
|
Please provide some explanation on this. Thanks you very much.
|