Date: Mon, 8 Sep 2008 11:50:35 -0700 From: Jeremy Chadwick <koitsu@FreeBSD.org> To: freebsd-pf@freebsd.org Subject: Re: FreeBSD 7.1-PRERELEASE Trouble Message-ID: <20080908185035.GA76018@icarus.home.lan> In-Reply-To: <20080908180407.GB4100@verio.net> References: <9bc4ff5c0809080813t1c370b72pce80dfa64f91fa41@mail.gmail.com> <20080908180407.GB4100@verio.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Sep 08, 2008 at 01:04:07PM -0500, David DeSimone wrote:
> Dmitry Rybin <kirgudu@kirgudu.org> wrote:
> >
> > PF doesn't block some IP!!!!
> >
> > === pf.conf ===
> >
> > ext_if="bge0"
> > table <dnsflood> { 78.107.71.38 89.179.195.34 }
> >
> > block quick from <dnsflood>
> > pass out
> > pass in
> > === pf.conf ===
> >
> > # pfctl -e -f /etc/pf.conf
> >
> > # tcpdump -netxi bge0 host 89.179.195.34
> > 00:1a:a1:69:35:43 > 00:1c:c4:81:2f:9e, ethertype IPv4 (0x0800), length 69:
> > 89.179.195.34.2357 > 195.14.50.21.53: 35869+ A? emils.com. (27)
> > 0x0000: 4500 0037 3034 0000 3811 4089 59b3 c322
> > 0x0010: c30e 3215 0935 0035 0023 0314 8c1d 0100
> > 0x0020: 0001 0000 0000 0000 0565 6d69 6c73 0363
> > 0x0030: 6f6d 0000 0100 01
>
> Even if PF causes the packet to be dropped, it will still show up on
> your inbound interface. You cannot prevent the packet from being sent
> to you unless you block it further upstream.
I was going to reply with the same thing, but aborted -- his tcpdump
shows *bidirectional* traffic, both from the bad host and *to* to the
bad host. OP's server is replying to the packet which pf has supposedly
blocked.
This is why I think it's a state tracking thing and he might need
to use -k.
--
| Jeremy Chadwick jdc at parodius.com |
| Parodius Networking http://www.parodius.com/ |
| UNIX Systems Administrator Mountain View, CA, USA |
| Making life hard for others since 1977. PGP: 4BD6C0CB |
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080908185035.GA76018>