|
||||
Rule #7 is your block drop in log all.
Your incoming packet does not match the only pass rule above it, which is rule #0: $piq on $V4EXTIF from $worf to ($V4EXTIF). It is very hard to read your pf.conf, but it obviously does not match any quick or slow rule following rule #7. Last edited by jggimi; 2nd October 2008 at 08:16 PM. |
|
||||
Thank you jggimi, something that just obviously never occured to me when I was writing it. I've moved some rules around and made sure the black drop in log all is at the top. Would having the management rule about the block for the blacklist table matter either? Sorry about the format of the ruleset I'll attach or paste links in the future.
__________________
It was a new day yesterday, but it's an old day now. |
|
||||
I moved things around and still the same problem, packets continue to match the default deny.
Code:
Oct 03 01:07:02.634952 rule 0/(match) block in on ral0: 192.168.1.125.15401 > 84.53.177.18.80: [|tcp] (DF) Oct 03 01:07:03.684990 rule 0/(match) block in on ral0: 192.168.1.125.32995 > 216.73.84.103.80: [|tcp] (DF) Oct 03 01:07:03.685663 rule 0/(match) block in on ral0: 192.168.1.125.17317 > 216.73.84.103.80: [|tcp] (DF) http://www.konundrum.org/pf.df
__________________
It was a new day yesterday, but it's an old day now. |
|
|||
Could you run tcpdump on pflog0 with a greater snap lenght, so we can see whether the initial packet of the 3-way TCP handshake gets blocked or one after the connection has been setup?
Code:
# tcpdump -n -s512 -i pflog0 Code:
# pfctl -vf block.pf block drop log all pass out quick on re0 inet proto udp from any to any port = domain keep state pass out quick on re0 inet proto udp from any to any port = ntp keep state Code:
# tcpdump -ni pflog0 tcpdump: listening on pflog0, link-type PFLOG 06:08:18.770421 192.168.222.20.27256 > 83.149.97.13.80: [|tcp] (DF) 06:08:20.255487 192.168.222.20.32520 > 83.149.97.13.80: [|tcp] (DF) Code:
# tcpdump -n -s512 -i pflog0 tcpdump: listening on pflog0, link-type PFLOG 06:09:07.793215 192.168.222.20.21686 > 83.149.97.13.80: S 2005153514:2005153514(0) nop,wscale 0,nop,nop,timestamp 3057449203 0> (DF) Try moving the pass quick on $INTIF all rule to the top of your ruleset (directly after the block rule) And please change that block rule to Code:
block log all
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Blocking MySpace | roddierod | Other OS | 3 | 12th April 2009 09:39 PM |
PF Blocking VPN Traffic | plexter | OpenBSD Security | 6 | 23rd January 2009 05:25 PM |
Firewall Blocking Good Traffic | plexter | OpenBSD Security | 6 | 8th January 2009 05:58 PM |
pf blocking php mail | ijk | FreeBSD Security | 7 | 30th October 2008 08:33 PM |
Blocking remote desktop apps | bichumo | General software and network | 3 | 30th September 2008 08:14 PM |