From owner-freebsd-pf@FreeBSD.ORG Sat May 10 22:13:36 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A531D278 for ; Sat, 10 May 2014 22:13:36 +0000 (UTC) Received: from udns.ultimateDNS.NET (ultimatedns.net [209.180.214.225]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 6EC99F90 for ; Sat, 10 May 2014 22:13:35 +0000 (UTC) Received: from udns.ultimateDNS.NET (localhost [127.0.0.1]) by udns.ultimateDNS.NET (8.14.5/8.14.5) with ESMTP id s4AMF3TU076615; Sat, 10 May 2014 15:15:09 -0700 (PDT) (envelope-from bsd-lists@bsdforge.com) Received: (from www@localhost) by udns.ultimateDNS.NET (8.14.5/8.14.5/Submit) id s4AMEwj7076609; Sat, 10 May 2014 15:14:58 -0700 (PDT) (envelope-from bsd-lists@bsdforge.com) Received: from udns.ultimatedns.net ([209.180.214.225]) (UDNSMS authenticated user chrish) by ultimatedns.net with HTTP; Sat, 10 May 2014 15:14:58 -0700 (PDT) Message-ID: <3d5ba75b4ddd0bbc57725279b9ad2872.authenticated@ultimatedns.net> In-Reply-To: <7782AB7B-59BC-4A31-95FA-3EDF408AA507@lafn.org> References: <7782AB7B-59BC-4A31-95FA-3EDF408AA507@lafn.org> Date: Sat, 10 May 2014 15:14:58 -0700 (PDT) Subject: Re: Unexpected pf behavior From: "Chris H" To: "Doug Hardie" User-Agent: UDNSMS/2.0.3 MIME-Version: 1.0 Content-Type: text/plain;charset=utf-8 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 May 2014 22:13:36 -0000 > I have a pf rule (FreeBSD 9.2) that uses a table to block access from specific networks. > This morning I found the following situation: > > 12 attempts from an address in one of the blocked network to access the server. All were > blocked and marked as such with the proper rule number in pflog. > > 10 succeeding connections that were passed through to the port. These were logged by the > process listening on that port. > > There were no changes to the rules, reboots, etc. during that time. This all transpired in > about 10 minutes. A dump of the table shows the proper address range. I am not logging the > pass throughs so only the original 12 blocks are in the logs. I have never seen anything > like this in the past. Is there some way I can test a specific IP address and have pf tell > me what it would do if it received a packet from that address? As memory serves pfctl(8) provides some info in the examples section. Also net/wireshark, tcpdump(1) may also be of interest to you. HTH --Chris > > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >