Date: Mon, 8 Sep 2008 23:10:45 -0700 From: Jeremy Chadwick <koitsu@FreeBSD.org> To: Dmitry Rybin <kirgudu@kirgudu.org> Cc: freebsd-pf@freebsd.org Subject: Re: FreeBSD 7.1-PRERELEASE Trouble Message-ID: <20080909061045.GA88034@icarus.home.lan> In-Reply-To: <9bc4ff5c0809082220v42bd264dp21088a15d3eb6319@mail.gmail.com> References: <9bc4ff5c0809080813t1c370b72pce80dfa64f91fa41@mail.gmail.com> <20080908180407.GB4100@verio.net> <20080908185035.GA76018@icarus.home.lan> <9bc4ff5c0809082220v42bd264dp21088a15d3eb6319@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Sep 09, 2008 at 09:20:20AM +0400, Dmitry Rybin wrote: > === pf.conf === > ext_if="bge0" > > block in quick from <dnsflood> > pass out > pass in > === pf.conf === > # pfctl -f > # pfctl -t dnsflood -Tadd 78.107.71.38 > # pfctl -t dnsflood -Tadd 89.179.195.34 > # pfctl -t dnsflood -Tshow > 78.107.71.38 > 89.179.195.34 > > and so on. > # pfctl -k 78.107.71.38 > killed 1 states from 1 sources and 0 destinations > [root@earth /opt/home/kirgudu]# tcpdump -ibge0 -p -n host 78.107.71.38 > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on bge0, link-type EN10MB (Ethernet), capture size 96 bytes > 09:12:37.260545 IP 78.107.71.38.46316 > 195.14.50.21.53: 21852+ TXT? > 170.225.6.117.bl.spamcop.net. (46) > 09:12:37.812533 IP 78.107.71.38.46317 > 195.14.50.21.53: 52423+ PTR? > 142.220.10.10.in-addr.arpa. (44) > 09:12:38.838395 IP 195.14.50.21.53 > 78.107.71.38.42859: 13664 ServFail > 0/0/0 (46) > 09:12:38.838420 IP 195.14.50.21.53 > 78.107.71.38.42859: 6698 ServFail 0/0/0 > (46) > 09:12:39.028347 IP 78.107.71.38.46318 > 195.14.50.21.53: 3221+ PTR? > 109.220.10.10.in-addr.arpa. (44) > 09:12:39.492471 IP 78.107.71.38.46319 > 195.14.50.21.53: 1887+ PTR? > 57.63.8.58.in-addr.arpa. (41) > > # pfctl -s state|grep 78.107.71.38 > all udp 195.14.50.21:53 -> 78.107.71.38:42859 MULTIPLE:MULTIPLE > > DNS service replying to the blocked host. > > # pfctl -s rules > block drop quick in on bge0 inet from <dnsflood> to any > pass in all flags S/SA keep state > pass out all flags S/SA keep state Hmm, it appears that even with the "block" rule in place, and all previous state table entries flushed, the packet is somehow making it through. Does "pfctl -T show -t dnsflood -v" shows any hits for In/Block hits on the table entry for 78.107.71.38? (I doubt it, but I want to make sure). Only two ideas I have left: 1) Are you *absolutely sure* the packets are arriving on bge0 and not some other interface? 2) Is pf processing even enabled? pfctl -s info | head -1 Also, you removed the freebsd-pf mailing list from your response to me. I don't know why, so I've re-added it. If none of the above helps, then I'm out of ideas and David or Max will have to assist in figuring out the root cause. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080909061045.GA88034>