From owner-freebsd-questions@FreeBSD.ORG Thu Jun 9 10:19:40 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9296116A41C for ; Thu, 9 Jun 2005 10:19:40 +0000 (GMT) (envelope-from tiberius@sdf.lonestar.org) Received: from sdf.lonestar.org (mx.freeshell.org [192.94.73.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 39CFB43D48 for ; Thu, 9 Jun 2005 10:19:39 +0000 (GMT) (envelope-from tiberius@sdf.lonestar.org) Received: from sdf.lonestar.org (IDENT:tiberius@sverige.freeshell.org [192.94.73.4]) by sdf.lonestar.org (8.13.1/8.12.10) with ESMTP id j59AIUDK009309; Thu, 9 Jun 2005 10:18:30 GMT Received: (from tiberius@localhost) by sdf.lonestar.org (8.13.1/8.12.8/Submit) id j59AI56A016812; Thu, 9 Jun 2005 03:18:05 -0700 (MST) Date: Thu, 9 Jun 2005 03:18:05 -0700 From: Matt Rechkemmer To: Giorgos Keramidas Message-ID: <20050609101805.GA11341@sdf.lonestar.org> References: <20050607064323.GA29038@sdf.lonestar.org> <20050607105030.GA44218@orion.daedalusnetworks.priv> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050607105030.GA44218@orion.daedalusnetworks.priv> User-Agent: Mutt/1.4.2.1i Cc: freebsd-questions@freebsd.org Subject: Re: pf block question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Jun 2005 10:19:40 -0000 On Tue, Jun 07, 2005 at 01:50:30PM +0300, Giorgos Keramidas wrote: > > We'd have to see the entire ruleset and a tcpdump of traffic that passes > through to know what's wrong. > > - Giorgos Here are the rules as taken from pfctl -sr. I can also provide a copy of pf.conf, if needed. The user's host is in the "badhosts" table. I've changed the first three octets of my IPs, for privacy reasons. The intruder's IP in the tcpdump has also been masked. ***sorry about the word wrap*** scrub in all fragment reassemble block drop on fxp0 from to any block drop all pass out quick on lo0 all pass in quick on lo0 all pass out on fxp0 inet proto icmp all icmp-type echoreq code 0 keep state pass in on fxp0 inet proto icmp all icmp-type echoreq code 0 keep state pass in quick on fxp0 inet proto tcp from to 1.3.3.70 port = ssh keep state pass in quick on fxp0 inet6 proto tcp from to fe80::211:11ff:fe47:1980 port = ssh keep state pass in quick on fxp0 inet proto tcp from to 1.3.3.161 port = ssh keep state pass in quick on fxp0 inet proto tcp from to 1.3.3.162 port = ssh keep state pass in quick on fxp0 inet proto tcp from to 1.3.3.163 port = ssh keep state pass in quick on fxp0 inet proto tcp from to 1.3.3.164 port = ssh keep state pass in quick on fxp0 inet proto tcp from to 1.3.3.165 port = ssh keep state pass in quick on fxp0 inet proto tcp from to 1.3.3.166 port = ssh keep state pass in quick on fxp0 inet proto tcp from to 1.3.3.167 port = ssh keep state pass in quick on fxp0 inet proto tcp from to 1.3.3.168 port = ssh keep state pass in quick on fxp0 inet proto tcp from to 1.3.3.169 port = ssh keep state pass in quick on fxp0 inet proto tcp from to 1.3.3.170 port = ssh keep state pass in quick on fxp0 inet proto tcp from to 1.3.3.171 port = ssh keep state pass in quick on fxp0 inet proto tcp from to 1.3.3.172 port = ssh keep state pass in quick on fxp0 inet proto tcp from to 1.3.3.173 port = ssh keep state pass in quick on fxp0 inet proto tcp from to 1.3.3.174 port = ssh keep state pass in quick on fxp0 inet proto tcp from to 1.3.3.175 port = ssh keep state pass in quick on fxp0 inet proto tcp from to 1.3.3.176 port = ssh keep state pass in quick on fxp0 inet proto tcp from to 1.3.3.177 port = ssh keep state pass in quick on fxp0 inet proto tcp from to 1.3.3.178 port = ssh keep state pass in quick on fxp0 inet proto tcp from to 1.3.3.179 port = ssh keep state pass in quick on fxp0 inet proto tcp from to 1.3.3.180 port = ssh keep state pass in quick on fxp0 inet proto tcp from to 1.3.3.181 port = ssh keep state pass in quick on fxp0 inet proto tcp from to 1.3.3.182 port = ssh keep state pass in quick on fxp0 inet proto tcp from to 1.3.3.183 port = ssh keep state pass in quick on fxp0 inet proto tcp from to 1.3.3.184 port = ssh keep state pass in quick on fxp0 inet proto tcp from to 1.3.3.185 port = ssh keep state pass in quick on fxp0 inet proto tcp from to 1.3.3.186 port = ssh keep state pass in quick on fxp0 inet proto tcp from to 1.3.3.187 port = ssh keep state pass in quick on fxp0 inet proto tcp from to 1.3.3.188 port = ssh keep state pass in quick on fxp0 inet proto tcp from to 1.3.3.189 port = ssh keep state pass in quick on fxp0 inet proto tcp from to 1.3.3.190 port = ssh keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.70 port = smtp keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.70 port = domain keep state pass in quick on fxp0 inet proto udp from any to 1.3.3.70 port = domain keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.163 port = http keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.70 port = pop3s keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.164 port = auth keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.164 port = 4400 keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.164 port = ircd keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.164 port = 6668 keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.164 port = 6669 keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.164 port = afs3-fileserver keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.164 port = 7878 keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.164 port = 9000 keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.164 port = 9999 keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.162 port = auth keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.162 port = 4400 keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.162 port = ircd keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.162 port = 6668 keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.162 port = 6669 keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.162 port = afs3-fileserver keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.162 port = 7878 keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.162 port = 9000 keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.162 port = 9999 keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.166 port = auth keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.166 port = 4400 keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.166 port = ircd keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.166 port = 6668 keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.166 port = 6669 keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.166 port = afs3-fileserver keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.166 port = 7878 keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.166 port = 9000 keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.166 port = 9999 keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.167 port = auth keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.167 port = 4400 keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.167 port = ircd keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.167 port = 6668 keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.167 port = 6669 keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.167 port = afs3-fileserver keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.167 port = 7878 keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.167 port = 9000 keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.167 port = 9999 keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.176 port = auth keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.176 port = 4400 keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.176 port = ircd keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.176 port = 6668 keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.176 port = 6669 keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.176 port = afs3-fileserver keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.176 port = 7878 keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.176 port = 9000 keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.176 port = 9999 keep state pass in quick on fxp0 inet proto tcp from any to 1.3.3.161 port = 4400 keep state pass in quick on fxp0 inet proto tcp from to 1.3.3.168 port = afs3-fileserver keep state pass out on fxp0 all keep state tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on fxp0, link-type EN10MB (Ethernet), capture size 96 bytes 03:17:04.793303 IP my.host.com > attacker.host.com: icmp 64: echo request seq 0 03:17:04.823353 IP attacker.host.com > my.host.com: icmp 64: echo reply seq 0 03:17:05.801745 IP my.host.com > attacker.host.com: icmp 64: echo request seq 1 03:17:05.832149 IP attacker.host.com > my.host.com: icmp 64: echo reply seq 1 Thanks, -- Matt Rechkemmer tiberius@trancell.org