From owner-freebsd-pf@FreeBSD.ORG  Mon May  1 19:01:26 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A206816A400
	for <freebsd-pf@freebsd.org>; Mon,  1 May 2006 19:01:26 +0000 (UTC)
	(envelope-from dimas@dataart.com)
Received: from relay1.dataart.com (fobos.marketsite.ru [62.152.84.30])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 2F2FA43D46
	for <freebsd-pf@freebsd.org>; Mon,  1 May 2006 19:01:26 +0000 (GMT)
	(envelope-from dimas@dataart.com)
Received: from e1.universe.dart.spb ([192.168.10.44])
	by relay1.dataart.com with esmtp (Exim 4.22) id 1Fade8-0003TN-ME
	for freebsd-pf@freebsd.org; Mon, 01 May 2006 23:01:24 +0400
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Date: Mon, 1 May 2006 23:00:01 +0400
Message-ID: <D5972F49810A69449A9EA72A4B360DC2D0A07B@e1.universe.dart.spb>
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
Thread-Topic: should tcpdump see blocked packets?
thread-index: AcZtUaUHSTGUZ1ngSLGqm2DCD2IgMg==
From: "Dmitry Andrianov" <dimas@dataart.com>
To: <freebsd-pf@freebsd.org>
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
X-Content-Filtered-By: Mailman/MimeDel 2.1.5
Subject: should tcpdump see blocked packets?
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 01 May 2006 19:01:26 -0000

Hello all.
=20
I was under impression that tcpdump on any interface should NOT see
incoming packets which are blocked by pf rules - these packets should
only appear on pflog0 interface (and only if logged explicitly by "block
log"/"pass log" rule).
=20
But right now I see that tcpdump -pni em0 (where em0 is my DMZ
interface) actually sees packets which should not be there (because they
are blocked)! Interesting enough, these packets are also visible with
tcpdump -pni pflog0. Since I do not have a single "pass + log" rule in
my ruleset, only the "block + log" ones,  the only explanation I see is
that tcpdump sees packets on em0 before they processed by pf. This
worries me because for other interfaces tcpdump does not see blocked
traffic. I wonder why this happens.
=20
Regards,
Dmitry Andrianov
=20