Date: Mon, 8 Aug 2005 16:54:25 +0200 From: Daniel Hartmeier <daniel@benzedrine.cx> To: Sergey Lapin <slapinid@gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: Fwd: pf problems Message-ID: <20050808145425.GI11104@insomnia.benzedrine.cx> In-Reply-To: <48239d3905080807182fef6a5b@mail.gmail.com> References: <48239d390508040958265ce62@mail.gmail.com> <48239d3905080504297b3ebc89@mail.gmail.com> <200508060411.05482.max@love2party.net> <48239d390508080452270c8d10@mail.gmail.com> <42F7502C.4070003@tirloni.org> <48239d3905080807182fef6a5b@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Aug 08, 2005 at 06:18:28PM +0400, Sergey Lapin wrote: > It does not help. Actually, it looks like pf does not have control > over outgoing packets produced by pf itself. I can not neither block > nor reroute these packets. I checked this very easily - I created a > rule > > block out log quick from SOME_OUTSIDE_HOST/32 to any > block out log quick from any to SOME_OUTSIDE_HOST/32 > > and made it very first rules of the firewall. Needless to say, when I > tried to telnet to router port 9999 from SOME_OUTSIDE_HOST, tcpdump on > the pflog0 device got incoming SYN but did not show RST. From the > other hand, tcpdump on the default gateway interface shown outgoing > RST. Again, from this I conclude that pf-generated packets (RST/ICMP) > are not subject for ruleset processing. No, they are not. You can try a 6.0 RC containing a newer version of pf which sends TCP RSTs (generated by 'return-rst') back out through the interface the blocked packet came in through. Alterantively, use multiple filtering devices, one in front of each uplink. Daniel
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050808145425.GI11104>