From owner-freebsd-pf@FreeBSD.ORG Sat May 10 22:21:51 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8DAC648C for ; Sat, 10 May 2014 22:21:51 +0000 (UTC) Received: from mail-qc0-f169.google.com (mail-qc0-f169.google.com [209.85.216.169]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4E4138E for ; Sat, 10 May 2014 22:21:50 +0000 (UTC) Received: by mail-qc0-f169.google.com with SMTP id e16so6259783qcx.0 for ; Sat, 10 May 2014 15:21:44 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=/yzcmeUOpp0pbi35Tf/BVcwfyXIiDN+9BWugWYZ2kHk=; b=R7LgYv3YIbDmK6w5K173IzG/rsIOAidi2idPY0o+vMn1q/rbbSq5kzy0Uu0rpT/EzA wwr32DZEraDv7iPlAzAJG8U77OnfDU4RehgbPLLhfdaYx0x6wWYuBObbWzl1nLWpmrFu f1qbQWYBn5peaUCF2eI6/XT7dlPAyQtTcpGVtkpugFLclRIgxqsMBhU+llUU3zVsPsYk 0rl3+uoKg2D0oskplAi6mI4xLChCDD6sddPoXlIL4P9IvQZGarJ3urd617CNTO8IMGlD V0DqyHLZ5FumbZxcO2zyRbEe33GsEoXjz5TY6uP93r4M/v1KmPsXlrAEWQfWbXh0Cr2R Ah3Q== X-Gm-Message-State: ALoCoQmduTWvz3/oInf6VgDtMt5TF9JhIihHCNNefJE9PH4GGiZLY+2TRL40qApoXlCnrQfV1hqq MIME-Version: 1.0 X-Received: by 10.224.64.132 with SMTP id e4mr26129557qai.16.1399760040887; Sat, 10 May 2014 15:14:00 -0700 (PDT) Received: by 10.140.91.85 with HTTP; Sat, 10 May 2014 15:14:00 -0700 (PDT) In-Reply-To: <7782AB7B-59BC-4A31-95FA-3EDF408AA507@lafn.org> References: <7782AB7B-59BC-4A31-95FA-3EDF408AA507@lafn.org> Date: Sat, 10 May 2014 15:14:00 -0700 Message-ID: Subject: Re: Unexpected pf behavior From: Brandon Vincent To: Doug Hardie Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18 Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 May 2014 22:21:51 -0000 Doug, As long as you are on the same LAN/broadcast domain, it would be pretty easy to use a program like Nmap with the "-S, --source-ip" parameter to spoof the source IP. Would you mind sharing the rule that caused this problem? Brandon Vincent On Sat, May 10, 2014 at 2:34 PM, Doug Hardie wrote: > I have a pf rule (FreeBSD 9.2) that uses a table to block access from > specific networks. This morning I found the following situation: > > 12 attempts from an address in one of the blocked network to access the > server. All were blocked and marked as such with the proper rule number in > pflog. > > 10 succeeding connections that were passed through to the port. These > were logged by the process listening on that port. > > There were no changes to the rules, reboots, etc. during that time. This > all transpired in about 10 minutes. A dump of the table shows the proper > address range. I am not logging the pass throughs so only the original 12 > blocks are in the logs. I have never seen anything like this in the past. > Is there some way I can test a specific IP address and have pf tell me > what it would do if it received a packet from that address? > > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >