Date: Wed, 14 May 2008 13:36:18 +0100 (BST) From: "Reinhold" <freebsd@violetlan.net> To: freebsd-pf@freebsd.org Subject: Re: a few problems with pf Message-ID: <63902.217.41.34.61.1210768578.squirrel@www.violetlan.net>
next in thread | raw e-mail | index | archive | help
On Wed, May 14, 2008 09:39, Jeremy Chadwick wrote: > On Wed, May 14, 2008 at 09:30:17AM +0100, Reinhold wrote: > >> I'm have a few problems with pf on my FreeBSD 7 STABLE systems, I have >> two running 7 and 4 running 6.3 and the problems are only on my 7 >> systems. >> >> The first problem is that I'm plagued by bad hdr length on both my 7 >> systems > > When using tcpdump with pflog, you'll need to specify a large frame size > to analyse/snoop; the default size is too small. Use -s 1024 to address > that. > Here is the results using -s 1024 2008-05-14 11:09:02.375144 rule 5/0(match): block in on ng0: 71.226.2.26.63696 > 217.41.34.61.64166: S 2876080469:2876080469(0) win 8192 <mss 1414,nop,wscale 8,nop,nop,sackOK> 2008-05-14 11:09:02.379780 rule 6/0(match): block in on ng0: 71.226.2.26.37654 > 217.41.34.61.64166: UDP, length 20 2008-05-14 11:09:03.019599 rule 5/0(match): block in on ng0: 71.226.2.26.63696 > 217.41.34.61.64166: S 2876080469:2876080469(0) win 8192 <mss 1414,nop,wscale 8,nop,nop,sackOK> 2008-05-14 11:09:03.672268 rule 5/0(match): block in on ng0: 71.226.2.26.63696 > 217.41.34.61.64166: S 2876080469:2876080469(0) win 8192 <mss 1414,nop,nop,sackOK> What I've also noticed is that in pf I have this rule pass in log quick on $ext_if1 reply-to ($ext_if1 $ext_gw1) proto tcp from any to { 192.168.1.2 } port = 22 keep state (max 1024, max-src-conn 15, max-src-conn-rate 2/1, overload <bruteforce> flush global) When I'm getting the bad header thingy this rule doesn't work properly. It let all the traffic trough but it never blocks the bad guys.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?63902.217.41.34.61.1210768578.squirrel>