From nobody Sat Feb 25 20:22:09 2023 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4PPJ8W0N4Kz3tqjN for ; Sat, 25 Feb 2023 20:22:19 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4PPJ8V74kGz4F9f; Sat, 25 Feb 2023 20:22:18 +0000 (UTC) (envelope-from kp@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1677356539; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Q6K8f2C/w7TH0iGIQqSCo0zLfW460zfOfqY54zs94Lg=; b=kG5Ibkm6OX8LsQIvYrdbyDynTZxhcQLpMuLR/Y0IZY/34IUZJBOypBtXemAzyPnQb6g76Q GFf51lqpIBizSOtY9Wb627uCSXm7IlB09UsBA1WdplHmaqyuReFRxNQ+uN5V0Abl+Vf3iw zfTSnHcbat+TtBQvqR8Q7LGN2ypHSSmO6ykqk7DuOeYn5wTqglWE9RRDWc49b8XXsusMna Yrzy6EOsVc9JmuvBqtmXdGuAOw1eyR1ucEsT3nnCiwomOFaFSkMn8pahtZPO1PYFMcTWao 9EMQEetO4DZq8y0k1lIIAoRiwRD9zwa2yRcSWCWqXrWJR/7nD4EH9ChgfG1PcQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1677356539; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Q6K8f2C/w7TH0iGIQqSCo0zLfW460zfOfqY54zs94Lg=; b=nSAIZ4GLuQg7/x5SYlxg5+7LdmOOQ1O3r1N+sHHfB5No7CtbDZP9tn0bPlRQrC3B1c+C+o 5fk1p1gmeZkRTjQHVeV0jQYwA6oRY+NRY1322WhyjUiIZIsCX3TGXIBEct7LWLIeRiRv0G dSo70A9yYdSoR7HYFL/mTiXesZ4RClrGkYNq+oPXtZ4COqbhCltGrZWwAmes4ggC9aGs0c 5W9rmqp/afKGfhSAW4OvxGlMrxilTP0zeSiLstN+9LGjzchyXzcaUNlgr7pbabU3YA5aPp NnMymO4DZwEGtcspJSLXThgKLyekmXalWchWx6Pfmy19IdazjNc9/4DmxB++kw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1677356539; a=rsa-sha256; cv=none; b=XH5qEZgWIn2YR6IVcGy2uU/s2VuKbU4z9GSHQoeR4OePm0OYr/lJbR0SDxO3baYfc9c2GJ T9BMWXtTJkk4Uz60yTXNIwv3BULXBC2hXVj5XXMxum/OQFydgMAfRWZfo+CHfLAZm0xZtB p2iu+6D4JDdh3tw7rXr1urrKf+wWov4BFFHFd0bHPxT0+elNeab7AFFFUDebdpTUBONK3j X4JdGwS0z50qzTuzO7+yFzKYzuIb01cP/p+wNUkG4jSKeWGwufqZqTLaKu1Pi7VXfO2wXg NZILgvYplkK7k5TycXnDRpDO8p5HufDhdn2IqRHdJruyRkzXTctBZHqScO3OAA== Received: from venus.codepro.be (venus.codepro.be [5.9.86.228]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mx1.codepro.be", Issuer "R3" (verified OK)) (Authenticated sender: kp) by smtp.freebsd.org (Postfix) with ESMTPSA id 4PPJ8V4qdZzHT1; Sat, 25 Feb 2023 20:22:18 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: by venus.codepro.be (Postfix, authenticated sender kp) id 6BFC72428E; Sat, 25 Feb 2023 21:22:14 +0100 (CET) From: Kristof Provost To: Dave Horsfall Cc: FreeBSD PF List Subject: Re: Where did "from <__automatic_43ce223_0> come from? Date: Sun, 26 Feb 2023 09:22:09 +1300 X-Mailer: MailMate (1.14r5937) Message-ID: <502D8886-DC95-4BC0-8681-7D117A430825@FreeBSD.org> In-Reply-To: References: List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="=_MailMate_F5DF8DE0-804A-4BE6-A45E-957223570A00_=" Content-Transfer-Encoding: 8bit X-ThisMailContainsUnwantedMimeParts: N --=_MailMate_F5DF8DE0-804A-4BE6-A45E-957223570A00_= Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit On 26 Feb 2023, at 9:09, Dave Horsfall wrote: > FreeBSD aneurin.horsfall.org 10.4-RELEASE-p13 FreeBSD 10.4-RELEASE-p13 > #0: Thu Sep 27 09:21:23 UTC 2018 > root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC i386 > > (Yeah, I'll update soon, when I find a newer box) > > Seen in my daily security run output: > > +block drop in quick inet from <__automatic_43ce223_0> to any [ > Evaluations: 7333 Packets: 4 Bytes: 240 States: 0 ] > > Obviously something created automatically (I don't have anything > faintly > resembling that in my pf.conf), but how? > set ruleset-optimization none Disable the ruleset optimizer. basic Enable basic ruleset optimization. This is the default behaviour. Basic ruleset optimization does four things to improve the performance of ruleset evaluations: 1. remove duplicate rules 2. remove rules that are a subset of another rule 3. combine multiple rules into a table when advantageous 4. re-order the rules to improve evaluation performance profile Uses the currently loaded ruleset as a feedback profile to tailor the ordering of quick rules to actual network traffic. It is important to note that the ruleset optimizer will modify the ruleset to improve performance. A side effect of the ruleset modification is that per-rule accounting statistics will have different meanings than before. If per-rule accounting is important for billing purposes or whatnot, either the ruleset optimizer should not be used or a label field should be added to all of the accounting rules to act as optimization barriers. Optimization can also be set as a command-line argument to pfctl(8), overriding the settings in pf.conf. That’d be case 3. Kristof --=_MailMate_F5DF8DE0-804A-4BE6-A45E-957223570A00_= Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

On 26 Feb 2023, at 9:09, Dave Horsfall wrote:

FreeBSD aneurin.horsfall.org 10.4-R= ELEASE-p13 FreeBSD 10.4-RELEASE-p13 #0: Thu Sep 27 09:21:23 UTC 2018 = root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC i386

=

(Yeah, I'll update soon, when I find a newer box)

Seen in my daily security run output:

+block drop in quick inet from <__automatic_43ce22= 3_0> to any [ Evaluations: 7333 Packets: 4 Bytes: 240 States: 0 ]

Obviously something created automatically (I don't have a= nything faintly
resembling that in my pf.conf), but how?


 s=
et ruleset-optimization
       none      Disable the ruleset optimizer.
       basic     Enable basic ruleset optimization.  This is the default
                 behaviour.  Basic ruleset optimization does four things =
to
                 improve the performance of ruleset evaluations:

                 1.   remove duplicate rules
                 2.   remove rules that are a subset of another rule
                 3.   combine multiple rules into a table when advantageo=
us
                 4.   re-order the rules to improve evaluation performanc=
e

       profile   Uses the currently loaded ruleset as a feedback profile =
to
                 tailor the ordering of quick rules to actual network
                 traffic.

       It is important to note that the ruleset optimizer will modify the=

       ruleset to improve performance.  A side effect of the ruleset
       modification is that per-rule accounting statistics will have
       different meanings than before.  If per-rule accounting is importa=
nt
       for billing purposes or whatnot, either the ruleset optimizer shou=
ld
       not be used or a label field should be added to all of the account=
ing
       rules to act as optimization barriers.

       Optimization can also be set as a command-line argument to pfctl(8=
),
       overriding the settings in pf.conf.

That=E2=80=99d be case 3.

Kristof

--=_MailMate_F5DF8DE0-804A-4BE6-A45E-957223570A00_=--