From nobody Sat Jun  4 21:35:45 2022
X-Original-To: freebsd-hackers@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id EEB7B1BDFAA0
	for <freebsd-hackers@mlmmj.nyi.freebsd.org>; Sat,  4 Jun 2022 21:35:47 +0000 (UTC)
	(envelope-from leres@freebsd.org)
Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "smtp.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4LFtN354lKz4jTW;
	Sat,  4 Jun 2022 21:35:47 +0000 (UTC)
	(envelope-from leres@freebsd.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1654378547;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=w8amf3mpAlYUhPSNp+UYPOJ/DgCP7uieVfEmdJouJno=;
	b=k36Asou3UFdvvM89udduTARh2DFuRAWqSlw+0PRKo2QzMELh9bb8K07xfIt0ksQcd/Cnkx
	mfQEUqSI7Vnw8xt9mc+2YdSMBjIiIYQdq/MDChGZGbVPmK0YDdLKG3//W/+MGH+AJwIz5c
	d9o07Hzy2fjfqo3NojGLkTB0ABvnYMpEVQaUFWMco0D0X3EioVZ+9Pn/g/d5B37ybZH5Se
	0YBFJjdex7O7WJ2aKwfgvwzcs9eSAnvzxhGmFyfrOyiB21dpJYAYug9P99/8dFxF1EIfZo
	EGA8tX/bQEBHXyA6oZfVicjTOzFkCQn0Vvx2OkyjUel5oaU9+XGXosPkTDAuag==
Received: from [IPV6:fd:1965::2] (unknown [IPv6:2600:1700:a570:e20:f2ad:4eff:fe0b:a065])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(Client did not present a certificate)
	(Authenticated sender: leres)
	by smtp.freebsd.org (Postfix) with ESMTPSA id 3BFD623BFA;
	Sat,  4 Jun 2022 21:35:46 +0000 (UTC)
	(envelope-from leres@freebsd.org)
Message-ID: <d3e75c09-d631-7fcc-e573-f6d3f93d7910@freebsd.org>
Date: Sat, 4 Jun 2022 14:35:45 -0700
List-Id: Technical discussions relating to FreeBSD <freebsd-hackers.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-hackers
List-Help: <mailto:freebsd-hackers+help@freebsd.org>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Subscribe: <mailto:freebsd-hackers+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-hackers+unsubscribe@freebsd.org>
Sender: owner-freebsd-hackers@freebsd.org
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:91.0) Gecko/20100101
 Thunderbird/91.10.0
Subject: Re: Dumb pf.conf question
Content-Language: en-US
To: George Mitchell <george+freebsd@m5p.com>,
 FreeBSD Hackers <freebsd-hackers@FreeBSD.org>
References: <d724092e-5be0-77a4-7d1f-af3a857585f5@m5p.com>
From: Craig Leres <leres@freebsd.org>
In-Reply-To: <d724092e-5be0-77a4-7d1f-af3a857585f5@m5p.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1654378547;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=w8amf3mpAlYUhPSNp+UYPOJ/DgCP7uieVfEmdJouJno=;
	b=NxEV5BKfkWlChyriAZZqtTp6pIJB4LP55bxqlRaTOT0W2e+nzcKVsam32q3OSlZHUqIvp8
	T5DJohau5h5ri53590yGZqj7EX2c/zFQqSBVaXEVMI7LQvT4KPRvG7r7JnBTsCAEqFJGhW
	rnba/bSp08JxsRaHah9QUX9UPimzDVHPtXaqvuLktmK+C4wGd1f047UByDCi2C9reIsLcW
	Y8/xnXdKaxYMm0hOF6EZDNhEFKqo0TljHnW+6CFZHImk3bFh5rfccVB2Wazi8d0NX43BX5
	06zPRo6yXUS1mIXf5jc2wkpjg5gL9F1y52+4wyZpoC0Xk1wGjIXgC9zuGPPEOw==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1654378547; a=rsa-sha256; cv=none;
	b=JmKRAXPPOo6eHaBuQeF6he7sxSEsIBKhWfI+64KJRCshjDz0zwFjSSclOZJ6jxOVrFZr1V
	JsycdhG9Di2vP4EGt8+AJetfl1bAftIYWg0Wl9kznFZBNRCSDCOvTzRwqFcVmsg2MXqQtU
	LOdIUN0qPja0gnRFMDXUmVOU3ZVCSU72uz/CcekbAuX50CnYBPw8KS8BcStImbAsyt75Tt
	Q09VJ4d6aginP7RIjlW7GRUGHgQOg6pun3wgVKtvulwY3P3KRSME64quRnqzckCIq03II0
	R7cnYPWLYOKv+1woddy1AhLaDcYu/4dl3cPiSzDmzh0j20Mrs4rW9XyLwt+Arg==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
X-ThisMailContainsUnwantedMimeParts: N

On 6/4/22 13:05, George Mitchell wrote:
> Due to an execss (to put it politely) of packets originating from
> IPv4-address-that-shall-not-be-mentioned, I decided to fix up my
> pf.conf file, which in very general terms looks like this:
> 
> (a bunch of macro definitions: ext_if = external interface,
>   int_if = internal interface, internal_ipv6 = 2001:xxxx:yyyy:zzzz::/120,
>   internal_net = 10.0.0.0/8)
> (a couple of table definitions)
> (no options, traffic normalization, or queueing)
> 
> scrub in all
> nat on $ext_if from $internal_net to any -> ($ext_if)
> 
> (a bunch of rdr statements, none of which contain "quick")
> 
> block all
> pass quick on lo0
> pass quick on $int_if
> 
> pass quick from $internal_ipv6
> pass quick to $internal_ipv6
> 
> #nuisance ssh logins
> block quick on $ext_if from (nasty address)
> 
> (lots more packet filtering rules that work)
> 
> But that next-to-last line is not stopping packets from nasty address.
> What did I do wrong?

I don't have a solution but let me suggest a strategy; normally I add 
"log" too all block rules so I can use tcpdump to to tell me what I'm 
blocking, e.g:

     tcpdump -ent -i pflog0

-e is particuarlly cool because it reports details such as rule number 
and interface.

Bit if instead you add "log" to all of your "pass" rules, you might be 
able to identify the rule that's passing the undesired packets, e.g:

     tcpdump -ent -i pflog0 host badguy

		Craig