From owner-freebsd-pf@FreeBSD.ORG Mon Sep 8 18:50:39 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AFCAA10656B6 for ; Mon, 8 Sep 2008 18:50:39 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from QMTA06.westchester.pa.mail.comcast.net (qmta06.westchester.pa.mail.comcast.net [76.96.62.56]) by mx1.freebsd.org (Postfix) with ESMTP id 5F7058FC16 for ; Mon, 8 Sep 2008 18:50:39 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from OMTA13.westchester.pa.mail.comcast.net ([76.96.62.52]) by QMTA06.westchester.pa.mail.comcast.net with comcast id CHEB1a00517dt5G56Jqe4Z; Mon, 08 Sep 2008 18:50:38 +0000 Received: from koitsu.dyndns.org ([67.180.253.227]) by OMTA13.westchester.pa.mail.comcast.net with comcast id CJqb1a00B4v8bD73ZJqePn; Mon, 08 Sep 2008 18:50:38 +0000 X-Authority-Analysis: v=1.0 c=1 a=QycZ5dHgAAAA:8 a=9B4vnotUTRuY-4j5ID4A:9 a=g6QS1T7mJpcVtAXKvNQA:7 a=MPfi64eZPMkfKnSjD3GeV2-xVmkA:4 a=W10XNLwuQ2AA:10 a=EoioJ0NPDVgA:10 a=b6gnn4OyobwA:10 a=LY0hPdMaydYA:10 Received: by icarus.home.lan (Postfix, from userid 1000) id 61B0417B84E; Mon, 8 Sep 2008 11:50:35 -0700 (PDT) Date: Mon, 8 Sep 2008 11:50:35 -0700 From: Jeremy Chadwick To: freebsd-pf@freebsd.org Message-ID: <20080908185035.GA76018@icarus.home.lan> References: <9bc4ff5c0809080813t1c370b72pce80dfa64f91fa41@mail.gmail.com> <20080908180407.GB4100@verio.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20080908180407.GB4100@verio.net> User-Agent: Mutt/1.5.18 (2008-05-17) Subject: Re: FreeBSD 7.1-PRERELEASE Trouble X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Sep 2008 18:50:39 -0000 On Mon, Sep 08, 2008 at 01:04:07PM -0500, David DeSimone wrote: > Dmitry Rybin wrote: > > > > PF doesn't block some IP!!!! > > > > === pf.conf === > > > > ext_if="bge0" > > table { 78.107.71.38 89.179.195.34 } > > > > block quick from > > pass out > > pass in > > === pf.conf === > > > > # pfctl -e -f /etc/pf.conf > > > > # tcpdump -netxi bge0 host 89.179.195.34 > > 00:1a:a1:69:35:43 > 00:1c:c4:81:2f:9e, ethertype IPv4 (0x0800), length 69: > > 89.179.195.34.2357 > 195.14.50.21.53: 35869+ A? emils.com. (27) > > 0x0000: 4500 0037 3034 0000 3811 4089 59b3 c322 > > 0x0010: c30e 3215 0935 0035 0023 0314 8c1d 0100 > > 0x0020: 0001 0000 0000 0000 0565 6d69 6c73 0363 > > 0x0030: 6f6d 0000 0100 01 > > Even if PF causes the packet to be dropped, it will still show up on > your inbound interface. You cannot prevent the packet from being sent > to you unless you block it further upstream. I was going to reply with the same thing, but aborted -- his tcpdump shows *bidirectional* traffic, both from the bad host and *to* to the bad host. OP's server is replying to the packet which pf has supposedly blocked. This is why I think it's a state tracking thing and he might need to use -k. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |