Date: Sat, 10 May 2014 16:16:42 -0700 From: Doug Hardie <bc979@lafn.org> To: Brandon Vincent <Brandon.Vincent@asu.edu> Cc: freebsd-pf@freebsd.org Subject: Re: Unexpected pf behavior Message-ID: <F5EC98FD-33DB-4744-B857-AE88039C882E@lafn.org> In-Reply-To: <CAJm423_dOshijOiCu=qT05G=2xuVCY7exfe5LPzjNhMT%2BY_xcQ@mail.gmail.com> References: <7782AB7B-59BC-4A31-95FA-3EDF408AA507@lafn.org> <CAJm423_dOshijOiCu=qT05G=2xuVCY7exfe5LPzjNhMT%2BY_xcQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 10 May 2014, at 15:14, Brandon Vincent <Brandon.Vincent@asu.edu> = wrote: > Doug, >=20 > As long as you are on the same LAN/broadcast domain, it would be = pretty easy to use a program like Nmap with the "-S, --source-ip" = parameter to spoof the source IP. >=20 > Would you mind sharing the rule that caused this problem? >=20 > Brandon Vincent >=20 >=20 > On Sat, May 10, 2014 at 2:34 PM, Doug Hardie <bc979@lafn.org> wrote: > I have a pf rule (FreeBSD 9.2) that uses a table to block access from = specific networks. This morning I found the following situation: >=20 > 12 attempts from an address in one of the blocked network to access = the server. All were blocked and marked as such with the proper rule = number in pflog. >=20 > 10 succeeding connections that were passed through to the port. These = were logged by the process listening on that port. >=20 > There were no changes to the rules, reboots, etc. during that time. = This all transpired in about 10 minutes. A dump of the table shows the = proper address range. I am not logging the pass throughs so only the = original 12 blocks are in the logs. I have never seen anything like = this in the past. Is there some way I can test a specific IP address = and have pf tell me what it would do if it received a packet from that = address? >=20 nmap does a good test. Took awhile to figure out how to make it spoof = properly though. Unfortunately I can't make pf fail. It blocks = everything I send from that range. I guess I'll just have to monitor = this a lot closer.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F5EC98FD-33DB-4744-B857-AE88039C882E>