From owner-freebsd-pf@FreeBSD.ORG Wed Jul 23 17:25:44 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3D5461065687 for ; Wed, 23 Jul 2008 17:25:44 +0000 (UTC) (envelope-from ivanatora@gmail.com) Received: from yx-out-2324.google.com (yx-out-2324.google.com [74.125.44.30]) by mx1.freebsd.org (Postfix) with ESMTP id 059B98FC1C for ; Wed, 23 Jul 2008 17:25:43 +0000 (UTC) (envelope-from ivanatora@gmail.com) Received: by yx-out-2324.google.com with SMTP id 8so408680yxb.13 for ; Wed, 23 Jul 2008 10:25:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type:content-transfer-encoding :content-disposition; bh=2atFYAwekrmz8ReMz9NQsSmwYGamHhlb4Mv6zF+GtKw=; b=WXLbfa58MpvR4BRH+O1dDJKrcpcV91PDLn7pJrHVGxOkppfA6tmwpP59Oq/SHt0NPe BI87LYWE7zPmWtQ62pbNw/OFQTRVxbsRX2DC7fx3zNwIspGlQAz2vJFjpMDKoNjkjY5Q sIQifmFtTaEpSq/4jYe0reYs+r8T7FfG8nbqc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type :content-transfer-encoding:content-disposition; b=it5rXfYZca1646A29DgfwolkqKXY/1O5NV5XL78BGr7jFKcNI+/T7PCZdVFIrFvajs 16nJ8hGvvmq/teCnDAFM8eJUDPmOaKWmh6rd1jsrtZeb7dpxw4dP9ky9RelTQIbESEUB fXDKr5JKuFkSUgVJpTqkAwOb2dJy6tAM5S6j8= Received: by 10.151.112.4 with SMTP id p4mr481883ybm.141.1216833943101; Wed, 23 Jul 2008 10:25:43 -0700 (PDT) Received: by 10.151.50.12 with HTTP; Wed, 23 Jul 2008 10:25:43 -0700 (PDT) Message-ID: Date: Wed, 23 Jul 2008 20:25:43 +0300 From: "Ivan Petrushev" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: Why this rule doesn't score a match? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Jul 2008 17:25:44 -0000 Hello, I'm trying very simple 'block all, allow a few' firewall, but something doesn't seem right. As far as I remember 'the right matched rule' is taken and executed - this doesn't seem working here. Here is my firewall: ##################### #macros if = "re0" ext_ip = "10.10.10.21" tcp_services = "{http, https, ssh, domain, 5190, 5222, ftp, 1025}" udp_services = "{domain, 5190, 5222, ftp}" #filter block in log on $if pass on $if proto tcp from any port $tcp_services pass on $if proto udp from any port $udp_services #################### The point here is that if a packet for some of the listed service is matching against the rules, it will match the block rule, but after that will match some of the last two and get passed. Instead it gets blocked and I see it into the log: tcpdump -n -i pflog0 19:54:57.657194 IP 64.12.161.185.5190 > 10.10.10.21.54111: tcp 24 [bad hdr length 0 - too short, < 20] (there are many of these, including on the other ports) Now, there is something different. I tried removing the block rule, and added logging for the 'pass' rules. In that case a packet traveling down the rules should match only on the 'pass' rules and get logged. #################### #filter #block in log on $if pass log on $if proto tcp from any port $tcp_services pass log on $if proto udp from any port $udp_services #################### Well, it doesn't get logged. The only thing I see into the log is: 20:12:53.185368 IP 10.10.10.1.53 > 10.10.10.21.60918: [|domain] And more DNS requests. There is nothing from 5190 (ICQ) or 5222 (Gtalk) or 80... What could be wrong here - it is fairly simple ruleset?