From owner-freebsd-pf@FreeBSD.ORG Mon Sep 22 15:38:07 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 58DAB106567B for ; Mon, 22 Sep 2008 15:38:07 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from QMTA07.emeryville.ca.mail.comcast.net (qmta07.emeryville.ca.mail.comcast.net [76.96.30.64]) by mx1.freebsd.org (Postfix) with ESMTP id 435ED8FC16 for ; Mon, 22 Sep 2008 15:38:07 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from OMTA12.emeryville.ca.mail.comcast.net ([76.96.30.44]) by QMTA07.emeryville.ca.mail.comcast.net with comcast id HnJn1a0080x6nqcA7re7qt; Mon, 22 Sep 2008 15:38:07 +0000 Received: from koitsu.dyndns.org ([67.180.253.227]) by OMTA12.emeryville.ca.mail.comcast.net with comcast id Hre51a00U4v8bD78Yre60Z; Mon, 22 Sep 2008 15:38:06 +0000 X-Authority-Analysis: v=1.0 c=1 a=QycZ5dHgAAAA:8 a=CEMYV6H27fY1QBBHi5cA:9 a=ALjIIr2ljoZhwBJMQ4zjTJNN6nwA:4 a=EoioJ0NPDVgA:10 a=LY0hPdMaydYA:10 Received: by icarus.home.lan (Postfix, from userid 1000) id 96C5017B81A; Mon, 22 Sep 2008 08:38:05 -0700 (PDT) Date: Mon, 22 Sep 2008 08:38:05 -0700 From: Jeremy Chadwick To: Leslie Jensen Message-ID: <20080922153805.GA29447@icarus.home.lan> References: <48D7871E.1040902@eskk.nu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <48D7871E.1040902@eskk.nu> User-Agent: Mutt/1.5.18 (2008-05-17) Cc: freebsd-pf@freebsd.org Subject: Re: IMAP server talks back PF blocks X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Sep 2008 15:38:07 -0000 On Mon, Sep 22, 2008 at 01:53:02PM +0200, Leslie Jensen wrote: > When doing > tcpdump -n -e -ttt -i pflog0 > > I frequently see packets blocked that looks like this > > 458660 rule 0/0(match): block in on em0: xxx.yyy.zzz.qqq.993 > > qqq.zzz.yyy.xxx.59930: tcp 8 [bad hdr length 12 - too short, < 20] > > It's the IMAP server I'm using that tries to talk back. Is this > something I should try to let through? The blocks are happening, but you're not able to see the full data in the packet due to the snaplen on tcpdump being too small. Add -s 256 to your tcpdump argument and run it again. It looks to me like you have a rule problem; possibly IMAP+SSL isn't being permitted through, so the block ends up happening as a result of an ambiguous "block in on em0" rule you have. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |