From owner-freebsd-pf@FreeBSD.ORG Wed Mar 28 17:54:50 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4435B16A405 for ; Wed, 28 Mar 2007 17:54:50 +0000 (UTC) (envelope-from drew@mykitchentable.net) Received: from qsmtp3.mc.surewest.net (qsmtp.mc.surewest.net [66.60.130.145]) by mx1.freebsd.org (Postfix) with SMTP id 29C1913C468 for ; Wed, 28 Mar 2007 17:54:50 +0000 (UTC) (envelope-from drew@mykitchentable.net) Received: (qmail 5662 invoked from network); 28 Mar 2007 10:28:08 -0700 Received: by simscan 1.1.0 ppid: 5639, pid: 5640, t: 5.7756s scanners: regex: 1.1.0 attach: 1.1.0 clamav: 0.84/m:42/d:2665 spam: 3.0.3 Received: from unknown (HELO blacklamb.mykitchentable.net) (66.205.146.210) by qsmtp3 with SMTP; 28 Mar 2007 10:28:03 -0700 Received: from [192.168.25.6] (unknown [192.168.25.6]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by blacklamb.mykitchentable.net (Postfix) with ESMTP id 56CE41648D2 for ; Wed, 28 Mar 2007 10:27:46 -0700 (PDT) Message-ID: <460AA59C.2000704@mykitchentable.net> Date: Wed, 28 Mar 2007 10:27:56 -0700 From: Drew Tomlinson User-Agent: Thunderbird 1.5.0.10 (Windows/20070221) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on qsmtp3.surewest.net X-Spam-Level: X-Spam-Status: No, score=-0.2 required=5.0 tests=AWL,BAYES_00, RCVD_IN_SORBS_DUL autolearn=no version=3.0.3 Subject: Why Does This Packet Match This Rule? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Mar 2007 17:54:50 -0000 I am having a heck of a time understanding how pf works and getting it to behave the way I want with my home network and ADSL connection. Basically I want to use ALTQ to prioritize traffic going out the interface connected to my ADSL modem. Here's my network: internal --- dc0 - FBSD router - dc1 --- ADSL So I created a rule set and now I'm trying to watch it and figure out what is happening. In watching the log, I capture this smtp transaction ( I numbered each entry for reference): 1. 2007-03-28 08:57:48.143830 rule 55/0(match): pass in on dc1: 196.206.216.121.40718 > 192.168.1.4.25: S 377431782:377431782(0) win 65535 2. 2007-03-28 08:57:48.143892 rule 86/0(match): pass out on dc0: 196.206.216.121.40718 > 192.168.1.4.25: S 377431782:377431782(0) win 65535 3. 2007-03-28 08:57:48.144212 rule 85/0(match): pass in on dc0: 192.168.1.4.25 > 196.206.216.121.40718: S 884974271:884974271(0) ack 377431783 win 65535 4. 2007-03-28 08:57:48.144247 rule 55/0(match): pass out on dc1: 66.205.146.210.25 > 196.206.216.121.40718: S 884974271:884974271(0) ack 377431783 win 65535 5. 2007-03-28 08:57:50.811908 rule 55/0(match): pass in on dc1: 196.206.216.121.40718 > 192.168.1.4.25: . ack 1 win 65535 6. 2007-03-28 08:57:50.811938 rule 86/0(match): pass out on dc0: 196.206.216.121.40718 > 192.168.1.4.25: . ack 1 win 65535 7. 2007-03-28 08:57:51.352988 rule 85/0(match): pass in on dc0: 192.168.1.4.25 > 196.206.216.121.40718: P 1:48(47) ack 1 win 33370 8. 2007-03-28 08:57:51.353032 rule 55/0(match): pass out on dc1: 66.205.146.210.25 > 196.206.216.121.40718: P 1:48(47) ack 1 win 33370 and so on... The currently loaded relevant rules are: @55 pass in log-all on dc1 inet proto tcp from any to 192.168.1.4 port = smtp @84 pass out log-all quick on dc1 inet from 66.205.146.210 to any modulate state queue(std_out, ack_out) @85 pass in log on dc0 inet from 192.168.1.0/24 to any @86 pass out log on dc0 inet all In the above tcpdump output, I understand why entries 1-3 and 5-7 match the rules they match. However I do not understand entry number 4 or 8. Instead of matching rule 55, I would expect them to match rule 84. Then the only traffic I should see passing through the pf rule set would be entries 1-4 as when 4 matches rule 84, a state entry would be made and further matches would occur in the state table, eliminating entries 5-8 (and the rest). What am I missing? If it helps, I also posted my complete pf.conf and the rules to which it expands at http://drew.mykitchentable.net/Temp/pf.conf.htm Thanks, Drew -- Be a Great Magician! Visit The Alchemist's Warehouse http://www.alchemistswarehouse.com