Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 18 Nov 2017 11:13:33 +0100
From:      "Kristof Provost" <kristof@sigsegv.be>
To:        "Dave Horsfall" <dave@horsfall.org>
Cc:        "FreeBSD PF List" <freebsd-pf@freebsd.org>
Subject:   Re: Why is PF rejecting these connections?
Message-ID:  <80FABA34-F562-4158-B083-E1488345F249@sigsegv.be>
In-Reply-To: <alpine.BSF.2.21.1711181201020.780@aneurin.horsfall.org>
References:  <alpine.BSF.2.21.1711181201020.780@aneurin.horsfall.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 18 Nov 2017, at 2:20, Dave Horsfall wrote:
> I have PF (FreeBSD 10.4) configured to drop suspicious packets e.g. 
> those claiming to be ACKs for non-existent connections etc, but I'm 
> seeing some weirdness in the logs.  Now, I sort of inherited the 
> configuration and don't fully understand each directive, but if it 
> works for someone I trust, well...
>
> Anyway, here are some sample log entries:
>
>     23:15:37.755870 IP host90-45-237-212.serverdedicati.aruba.it.34944 
> > aneurin.kfu.smtp: Flags [S], seq 4161201091, win 14600, options [mss 
> 1460,sackOK,TS[|tcp]>
>     23:15:40.755278 IP host90-45-237-212.serverdedicati.aruba.it.34944 
> > aneurin.kfu.smtp: Flags [S], seq 4161201091, win 14600, options [mss 
> 1460,sackOK,TS[|tcp]>
>     [...]
>     23:52:02.768939 IP rdns1.mailinfo.ga.43128 > aneurin.kfu.smtp: 
> Flags [S], seq 1022514539, win 14600, options [mss 
> 1460,sackOK,TS[|tcp]>
>     23:52:18.768869 IP rdns1.mailinfo.ga.43128 > aneurin.kfu.smtp: 
> Flags [S], seq 1022514539, win 14600, options [mss 
> 1460,sackOK,TS[|tcp]>
>
Can you post a full pcap capture? It’s very hard to figure things out 
from a text summary of a packet.
Where and how were these logged? How do you know they’re being 
dropped?

> Etc; the common theme appears to be those options whose purpose I 
> don't quite grok, but are presumably legal in this context.
>
> The relevant lines from my pf.conf seem to be:
>
>     set block-policy drop
>     set loginterface egress
>     #set ruleset-optimization basic
>     scrub in
>     block all
>     pass out quick all keep state
>     antispoof log quick for $ext_if inet
>     [ Sundry pass/block rules ]
>
Are these incoming or outgoing packets? I really can’t tell what’s 
going on from your report.

Regards,
Kristof

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?80FABA34-F562-4158-B083-E1488345F249>