From owner-freebsd-pf@FreeBSD.ORG Tue May 10 17:13:12 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C10DF1065673 for ; Tue, 10 May 2011 17:13:11 +0000 (UTC) (envelope-from nicolas.greneche@gmail.com) Received: from mail-yx0-f182.google.com (mail-yx0-f182.google.com [209.85.213.182]) by mx1.freebsd.org (Postfix) with ESMTP id 83E7B8FC1A for ; Tue, 10 May 2011 17:13:11 +0000 (UTC) Received: by yxl31 with SMTP id 31so2772324yxl.13 for ; Tue, 10 May 2011 10:13:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:date:message-id:subject:from:to :content-type; bh=/wlgixHMQWlT3NXekVBErRfcrKdPM3ihjhD4Ga9GeRM=; b=EErSCZWmv8KhmZ+XGCS8kXWOUo1fMDQQCDXGbG+Geyd0DBC0U3CVlzYWeRXM5WY5+W u+xTGba8AV6FtGba+yOcQSEGoQcRym+YW9xlgQI9i6nHoO64Ccv4SWqGo4Btq7NsC+7r bhB8ZZFH/lAWQwwbr2mLay4MOGIFCTVSq6boU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=p1TRLYMX6mmmfZa4GpfWvBoduSKZr5h8XBMo4j2z3IlpJkg/VlbWA1fKQuBJ55cez9 fNd4TL73ozXEWTprJjzc92gF64bopgsbRk8SRLpV0k7tGRlPSnw2DhrTAOf3cwNqq5dK yzMWZHRfrRQDuB5HK62FQWY70lJvHrB59BLzU= MIME-Version: 1.0 Received: by 10.91.67.1 with SMTP id u1mr7003637agk.191.1305045909013; Tue, 10 May 2011 09:45:09 -0700 (PDT) Received: by 10.90.84.7 with HTTP; Tue, 10 May 2011 09:45:08 -0700 (PDT) Date: Tue, 10 May 2011 18:45:08 +0200 Message-ID: From: Nicolas GRENECHE To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Subject: Filtering on a sensor dedicated interface X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 May 2011 17:13:12 -0000 Hi, We are currently experimenting a way of capturing packets of supposed compromised hosts with PF. So my question may seem to be a bit odd. I have two interfaces em0 and em1 connected to a network TAP. Running tcpdump on each show me dumped packets, no problems. Those two interfaces are configured like this in rc.conf : ifconfig_em0="promisc -arp up" ifconfig_em1="promisc -arp up" Loading rules : sondedi# pfctl -f /etc/pf.conf.local No ALTQ support in kernel ALTQ related functions disabled Showing rules : sondedi# pfctl -s rules No ALTQ support in kernel ALTQ related functions disabled pass log on em0 inet from any to X.X.X.X no state pass log on em1 inet from any to X.X.X.X no state Now if i try to ssh to X.X.X.X, the pflog interface say nothing : sondedi# tcpdump -netti pflog0 tcpdump: WARNING: pflog0: no IPv4 address assigned tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 96 bytes Rule doesn't seem to be matched. But a tcpdump tells everything : sondedi# tcpdump -netti em0 dst port 22 and dst host X.X.X.X tcpdump: WARNING: em0: no IPv4 address assigned tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on em0, link-type EN10MB (Ethernet), capture size 96 bytes SOME PACKETS ... Regarding tcpdump, packets seems to go through the interface. Why does pf doesn't see them ? Regards,