From owner-freebsd-pf@FreeBSD.ORG Mon Sep 8 16:04:37 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BD605106564A for ; Mon, 8 Sep 2008 16:04:37 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from QMTA06.emeryville.ca.mail.comcast.net (qmta06.emeryville.ca.mail.comcast.net [76.96.30.56]) by mx1.freebsd.org (Postfix) with ESMTP id A54F38FC16 for ; Mon, 8 Sep 2008 16:04:37 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from OMTA10.emeryville.ca.mail.comcast.net ([76.96.30.28]) by QMTA06.emeryville.ca.mail.comcast.net with comcast id CAkq1a0080cQ2SLA6G4dmw; Mon, 08 Sep 2008 16:04:37 +0000 Received: from koitsu.dyndns.org ([67.180.253.227]) by OMTA10.emeryville.ca.mail.comcast.net with comcast id CG4a1a00q4v8bD78WG4bst; Mon, 08 Sep 2008 16:04:36 +0000 X-Authority-Analysis: v=1.0 c=1 a=U0t_b_6yAAAA:8 a=QycZ5dHgAAAA:8 a=Jv7NiQiXL6lxGgFqKjMA:9 a=dVago8PzXv0MqIRdC6IA:7 a=cnYQEJfbVj1nUToMS3vlvXaeusUA:4 a=W10XNLwuQ2AA:10 a=EoioJ0NPDVgA:10 a=LY0hPdMaydYA:10 Received: by icarus.home.lan (Postfix, from userid 1000) id D043C17B84E; Mon, 8 Sep 2008 09:04:34 -0700 (PDT) Date: Mon, 8 Sep 2008 09:04:34 -0700 From: Jeremy Chadwick To: Dmitry Rybin Message-ID: <20080908160434.GA72812@icarus.home.lan> References: <9bc4ff5c0809080813t1c370b72pce80dfa64f91fa41@mail.gmail.com> <20080908155139.GA72633@icarus.home.lan> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20080908155139.GA72633@icarus.home.lan> User-Agent: Mutt/1.5.18 (2008-05-17) Cc: freebsd-pf@freebsd.org Subject: Re: FreeBSD 7.1-PRERELEASE Trouble X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Sep 2008 16:04:37 -0000 On Mon, Sep 08, 2008 at 08:51:39AM -0700, Jeremy Chadwick wrote: > On Mon, Sep 08, 2008 at 07:13:35PM +0400, Dmitry Rybin wrote: > > PF doesn't block some IP!!!! > > > > === pf.conf === > > > > ext_if="bge0" > > table { 78.107.71.38 89.179.195.34 } > > > > block quick from > > pass out > > pass in > > === pf.conf === > > > > # pfctl -e -f /etc/pf.conf > > > > # tcpdump -netxi bge0 host 89.179.195.34 > > 00:1a:a1:69:35:43 > 00:1c:c4:81:2f:9e, ethertype IPv4 (0x0800), length 69: > > 89.179.195.34.2357 > 195.14.50.21.53: 35869+ A? emils.com. (27) > > 0x0000: 4500 0037 3034 0000 3811 4089 59b3 c322 > > 0x0010: c30e 3215 0935 0035 0023 0314 8c1d 0100 > > 0x0020: 0001 0000 0000 0000 0565 6d69 6c73 0363 > > 0x0030: 6f6d 0000 0100 01 > > 00:1c:c4:81:2f:9e > 00:00:0c:07:ac:00, ethertype IPv4 (0x0800), length 84: > > 195.14.50.21.53 > 89.179.195.34.2357: 48025 ServFail 0/0/1 (42) > > 0x0000: 4500 0046 84a8 0000 4011 0000 c30e 3215 > > 0x0010: 59b3 c322 0035 0935 0032 c7de bb99 8182 > > 0x0020: 0001 0000 0000 0001 0377 7777 0565 6d69 > > 0x0030: 6c73 0363 6f6d 0000 0100 0100 0029 1000 > > 0x0040: 0000 0000 0000 > > 00:1c:c4:81:2f:9e > 00:00:0c:07:ac:00, ethertype IPv4 (0x0800), length 73: > > 195.14.50.21.53 > 89.179.195.34.2357: 22012 ServFail 0/0/0 (31) > > 0x0000: 4500 003b 84a9 0000 4011 0000 c30e 3215 > > 0x0010: 59b3 c322 0035 0935 0027 3dbc 55fc 8182 > > 0x0020: 0001 0000 0000 0000 0377 7777 0565 6d69 > > 0x0030: 6c73 0363 6f6d 0000 0100 01 > > 00:1c:c4:81:2f:9e > 00:00:0c:07:ac:00, ethertype IPv4 (0x0800), length 69: > > 195.14.50.21.53 > 89.179.195.34.2357: 35869 ServFail 0/0/0 (27) > > 0x0000: 4500 0037 84ac 0000 4011 0000 c30e 3215 > > 0x0010: 59b3 c322 0035 0935 0023 8291 8c1d 8182 > > 0x0020: 0001 0000 0000 0000 0565 6d69 6c73 0363 > > 0x0030: 6f6d 0000 0100 01 > > 00:1a:a1:69:35:43 > 00:1c:c4:81:2f:9e, ethertype IPv4 (0x0800), length 73: > > 89.179.195.34.2357 > 195.14.50.21.53: 48025+ A? www.emils.com. (31) > > 0x0000: 4500 003b 3035 0000 3811 4084 59b3 c322 > > 0x0010: c30e 3215 0935 0035 0027 58a1 bb99 0100 > > 0x0020: 0001 0000 0000 0000 0377 7777 0565 6d69 > > 0x0030: 6c73 0363 6f6d 0000 0100 01 > > 00:1c:c4:81:2f:9e > 00:00:0c:07:ac:00, ethertype IPv4 (0x0800), length 73: > > 195.14.50.21.53 > 89.179.195.34.2357: 48025 ServFail 0/0/0 (31) > > 0x0000: 4500 003b 84ae 0000 4011 0000 c30e 3215 > > 0x0010: 59b3 c322 0035 0935 0027 d81e bb99 8182 > > 0x0020: 0001 0000 0000 0000 0377 7777 0565 6d69 > > 0x0030: 6c73 0363 6f6d 0000 0100 01 > > > > tcpdump -netxi bge0 host 78.107.71.38 > > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > > listening on bge0, link-type EN10MB (Ethernet), capture size 96 bytes > > 00:1a:a1:69:35:43 > 00:1c:c4:81:2f:9e, ethertype IPv4 (0x0800), length 94: > > 78.107.71.38.37367 > 195.14.50.21.53: 38168+ A? > > nc-71-51-232-31.dhcp.embarqhsd.net. (52) > > 0x0000: 4500 0050 ae4f 4000 3b11 0699 4e6b 4726 > > 0x0010: c30e 3215 91f7 0035 003c e6ca 9518 0100 > > 0x0020: 0001 0000 0000 0000 0f6e 632d 3731 2d35 > > 0x0030: 312d 3233 322d 3331 0464 6863 7009 656d > > 0x0040: 6261 7271 6873 6403 6e65 7400 0001 0001 > > 00:1a:a1:69:35:43 > 00:1c:c4:81:2f:9e, ethertype IPv4 (0x0800), length 89: > > 78.107.71.38.37368 > 195.14.50.21.53: 50276+ A? > > 166.156.122.89.bl.spamcop.net. (47) > > 0x0000: 4500 004b ae68 4000 3b11 0685 4e6b 4726 > > 0x0010: c30e 3215 91f8 0035 0037 18d5 c464 0100 > > 0x0020: 0001 0000 0000 0000 0331 3636 0331 3536 > > 0x0030: 0331 3232 0238 3902 626c 0773 7061 6d63 > > 0x0040: 6f70 036e 6574 0000 0100 01 > > > > Add to pf.conf > > block quick from 89.179.195.34 - same, doesn't work. > > > > May be trouble in config? > > Please show the output of "pfctl -s rules". Also, you might want to ensure the entries in the table are getting hit: pfctl -T show -t dnsflood -v If the counters for Block are getting incremented, then the rule is working. What might be happening is pf has a state table entry which is allowing the machine in table to still continue sending packets to it, on the same TCP/UDP socket as before. You can verify this by using "pfctl -s state | grep ip" To remove the states, use pfctl -k ip. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |