From owner-freebsd-stable@FreeBSD.ORG Wed Jun 1 22:03:06 2011 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 19D521065670 for ; Wed, 1 Jun 2011 22:03:06 +0000 (UTC) (envelope-from bartosz.woronicz@korbank.pl) Received: from LISTonosz.Korbank.PL (a.smtp.korbank.com [79.110.199.33]) by mx1.freebsd.org (Postfix) with ESMTP id 8EEEC8FC16 for ; Wed, 1 Jun 2011 22:03:04 +0000 (UTC) Received: from [192.168.33.244] (unknown [79.110.199.199]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by LISTonosz.Korbank.PL (Postfix) with ESMTP id 523781671554 for ; Thu, 2 Jun 2011 00:02:30 +0200 (CEST) Message-ID: <4DE6B716.9080600@korbank.pl> Date: Thu, 02 Jun 2011 00:03:02 +0200 From: Bartosz Woronicz User-Agent: Mozilla/5.0 (X11; U; Linux i686; pl-PL; rv:1.9.2.17) Gecko/20110424 Thunderbird/3.1.10 MIME-Version: 1.0 To: freebsd-stable@freebsd.org References: <4DE62DFD.2000204@korbank.pl> In-Reply-To: <4DE62DFD.2000204@korbank.pl> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Subject: [CLOSED] Re: PF problem withpackets falling in block... X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Jun 2011 22:03:06 -0000 I put it in the wrong mailing list. Sorry for that. W dniu 01.06.2011 14:18, Bartosz Woronicz pisze: > I want to just block few classes that must be blocked. It seems like > it's partly working , but not all packets are accessible. And moreover > I cannot connect from outside. > What is wrong? My FreeBSD is 7.3-Stable > my wan interface is vlan300 and vlan352 is for an user. > The rule for blocking is: > rule 28/0 block in log on vlan352 from 79.110.199.192/27 to > rule 29/0 block in log on vlan352 from 79.110.199.192/27 to ! > > I was trying also with: block in log on vlan352 from 79.110.199.192/27 > to any > instead of these 2 above > contains adresses of my network: 79.110.192.0/20 > > Passing rules are: > pass quick from 79.110.199.199 to keep state > pass in quick on vlan352 from 79.110.199.199 to ! tag > FROM79_110_199_199 queue 79_110_199_199D > pass out quick on vlan300 tagged FROM79_110_199_199 queue 79_110_199_199U > pass in quick on vlan300 from ! to 79.110.199.199 tag > TO79_110_199_199 queue 79_110_199_199U > pass out quick on vlan352 tagged TO79_110_199_199 queue 79_110_199_199D > > > But still some packets are dropped > > tcpdump: WARNING: pflog0: no IPv4 address assigned > tcpdump: listening on pflog0, link-type PFLOG (OpenBSD pflog file), > capture size 96 bytes > rule 29/0(match): block in on vlan352: (tos 0x0, ttl 64, id 54312, > offset 0, flags [DF], proto TCP (6), length 1500) 79.110.199.199.55073 > > 87.239.219.82.59291: tcp 1480 [bad hdr length 0 - too short, < 20] > rule 29/0(match): block in on vlan352: (tos 0x0, ttl 64, id 56948, > offset 0, flags [DF], proto TCP (6), length 1442) 79.110.199.199.55073 > > 80.229.149.80.55511: tcp 1422 [bad hdr length 0 - too short, < 20] > rule 29/0(match): block in on vlan352: (tos 0x0, ttl 64, id 8242, > offset 0, flags [DF], proto TCP (6), length 40) 79.110.199.199.55073 > > 85.222.56.47.56705: [|tcp] > rule 29/0(match): block in on vlan352: (tos 0x0, ttl 64, id 8243, > offset 0, flags [DF], proto TCP (6), length 52) 79.110.199.199.55073 > > 85.222.56.47.56705: [|tcp] > rule 29/0(match): block in on vlan352: (tos 0x0, ttl 64, id 8244, > offset 0, flags [DF], proto TCP (6), length 52) 79.110.199.199.55073 > > 85.222.56.47.56705: tcp 32 [bad hdr length 0 - too short, < 20] > rule 29/0(match): block in on vlan352: (tos 0x0, ttl 64, id 8245, > offset 0, flags [DF], proto TCP (6), length 52) 79.110.199.199.55073 > > 85.222.56.47.56705: [|tcp] > rule 29/0(match): block in on vlan352: (tos 0x0, ttl 64, id 8246, > offset 0, flags [DF], proto TCP (6), length 40) 79.110.199.199.55073 > > 85.222.56.47.56705: [|tcp] > rule 28/0(match): block in on vlan352: (tos 0x10, ttl 64, id 0, offset > 0, flags [DF], proto TCP (6), length 52) 79.110.199.199.55022 > > 79.110.194.135.43126: [|tcp] > rule 29/0(match): block in on vlan352: (tos 0x0, ttl 64, id 8247, > offset 0, flags [DF], proto TCP (6), length 52) 79.110.199.199.55073 > > 85.222.56.47.56705: tcp 32 [bad hdr length 0 - too short, < 20] > rule 29/0(match): block in on vlan352: (tos 0x0, ttl 64, id 54313, > offset 0, flags [DF], proto TCP (6), length 40) 79.110.199.199.55073 > > 87.239.219.82.59291: [|tcp] > rule 28/0(match): block in on vlan352: (tos 0x10, ttl 64, id 0, offset > 0, flags [DF], proto TCP (6), length 52) 79.110.199.199.55022 > > 79.110.194.135.43126: [|tcp] > rule 29/0(match): block in on vlan352: (tos 0x0, ttl 64, id 54314, > offset 0, flags [DF], proto TCP (6), length 52) 79.110.199.199.55073 > > 87.239.219.82.59291: [|tcp] > rule 29/0(match): block in on vlan352: (tos 0x0, ttl 64, id 8248, > offset 0, flags [DF], proto TCP (6), length 52) 79.110.199.199.55073 > > 85.222.56.47.56705: tcp 32 [bad hdr length 0 - too short, < 20] > rule 28/0(match): block in on vlan352: (tos 0x10, ttl 64, id 0, offset > 0, flags [DF], proto TCP (6), length 52) 79.110.199.199.55022 > > 79.110.194.135.43126: [|tcp] > rule 29/0(match): block in on vlan352: (tos 0x0, ttl 64, id 54315, > offset 0, flags [DF], proto TCP (6), length 52) 79.110.199.199.55073 > > 87.239.219.82.59291: [|tcp] > -- Pozdrawiam, Bartosz Woronicz, System Adminstrator, Korbank S.A. ul. Nabycińska 19 53-677 Wrocław NIP: 894-26-41-602 tel. 071-723-43-23 fax. 071-723-43-29