Date: Mon, 1 May 2006 22:07:23 +0300 From: "Vlad GALU" <vladgalu@gmail.com> To: freebsd-pf@freebsd.org Subject: Re: should tcpdump see blocked packets? Message-ID: <79722fad0605011207j5e51cf17sc47fccd24e30508d@mail.gmail.com> In-Reply-To: <D5972F49810A69449A9EA72A4B360DC2D0A07B@e1.universe.dart.spb> References: <D5972F49810A69449A9EA72A4B360DC2D0A07B@e1.universe.dart.spb>
next in thread | previous in thread | raw e-mail | index | archive | help
On 5/1/06, Dmitry Andrianov <dimas@dataart.com> wrote: > Hello all. > > I was under impression that tcpdump on any interface should NOT see > incoming packets which are blocked by pf rules - these packets should > only appear on pflog0 interface (and only if logged explicitly by "block > log"/"pass log" rule). > > But right now I see that tcpdump -pni em0 (where em0 is my DMZ > interface) actually sees packets which should not be there (because they > are blocked)! Interesting enough, these packets are also visible with > tcpdump -pni pflog0. Since I do not have a single "pass + log" rule in > my ruleset, only the "block + log" ones, the only explanation I see is > that tcpdump sees packets on em0 before they processed by pf. This > worries me because for other interfaces tcpdump does not see blocked > traffic. I wonder why this happens. > Because of the bpf hooks in each driver. This is the expected behaviour. > Regards, > Dmitry Andrianov > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > -- If it's there, and you can see it, it's real. If it's not there, and you can see it, it's virtual. If it's there, and you can't see it, it's transparent. If it's not there, and you can't see it, you erased it.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?79722fad0605011207j5e51cf17sc47fccd24e30508d>