From owner-freebsd-pf@FreeBSD.ORG Mon May 1 19:07:29 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F276F16A412 for ; Mon, 1 May 2006 19:07:29 +0000 (UTC) (envelope-from vladgalu@gmail.com) Received: from pproxy.gmail.com (pproxy.gmail.com [64.233.166.177]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8526443D5C for ; Mon, 1 May 2006 19:07:23 +0000 (GMT) (envelope-from vladgalu@gmail.com) Received: by pproxy.gmail.com with SMTP id t32so2867422pyc for ; Mon, 01 May 2006 12:07:23 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=uTkUbyAIvvRJHX9f12BqeNes35YirW2cgKgnHHEiSoRY585WuXDrpoRjorci33YACCySErwR5l+/ci+cDh/eTKdWAYs37l11ppDeERiNu5oeBYx5s60OqHU3kTbMaB521roBWKYZCxFjCpuaG8ejOP/etnkjRMhLIUAy1VY54dc= Received: by 10.35.22.17 with SMTP id z17mr3176813pyi; Mon, 01 May 2006 12:07:23 -0700 (PDT) Received: by 10.35.38.9 with HTTP; Mon, 1 May 2006 12:07:23 -0700 (PDT) Message-ID: <79722fad0605011207j5e51cf17sc47fccd24e30508d@mail.gmail.com> Date: Mon, 1 May 2006 22:07:23 +0300 From: "Vlad GALU" To: freebsd-pf@freebsd.org In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: Subject: Re: should tcpdump see blocked packets? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 May 2006 19:07:30 -0000 On 5/1/06, Dmitry Andrianov wrote: > Hello all. > > I was under impression that tcpdump on any interface should NOT see > incoming packets which are blocked by pf rules - these packets should > only appear on pflog0 interface (and only if logged explicitly by "block > log"/"pass log" rule). > > But right now I see that tcpdump -pni em0 (where em0 is my DMZ > interface) actually sees packets which should not be there (because they > are blocked)! Interesting enough, these packets are also visible with > tcpdump -pni pflog0. Since I do not have a single "pass + log" rule in > my ruleset, only the "block + log" ones, the only explanation I see is > that tcpdump sees packets on em0 before they processed by pf. This > worries me because for other interfaces tcpdump does not see blocked > traffic. I wonder why this happens. > Because of the bpf hooks in each driver. This is the expected behaviour. > Regards, > Dmitry Andrianov > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > -- If it's there, and you can see it, it's real. If it's not there, and you can see it, it's virtual. If it's there, and you can't see it, it's transparent. If it's not there, and you can't see it, you erased it.