Date: Wed, 28 Mar 2007 10:27:56 -0700 From: Drew Tomlinson <drew@mykitchentable.net> To: freebsd-pf@freebsd.org Subject: Why Does This Packet Match This Rule? Message-ID: <460AA59C.2000704@mykitchentable.net>
next in thread | raw e-mail | index | archive | help
I am having a heck of a time understanding how pf works and getting it to behave the way I want with my home network and ADSL connection. Basically I want to use ALTQ to prioritize traffic going out the interface connected to my ADSL modem. Here's my network: internal --- dc0 - FBSD router - dc1 --- ADSL So I created a rule set and now I'm trying to watch it and figure out what is happening. In watching the log, I capture this smtp transaction ( I numbered each entry for reference): 1. 2007-03-28 08:57:48.143830 rule 55/0(match): pass in on dc1: 196.206.216.121.40718 > 192.168.1.4.25: S 377431782:377431782(0) win 65535 <mss 1420,nop,wscale 0,[|tcp]> 2. 2007-03-28 08:57:48.143892 rule 86/0(match): pass out on dc0: 196.206.216.121.40718 > 192.168.1.4.25: S 377431782:377431782(0) win 65535 <mss 1420,nop,wscale 0,[|tcp]> 3. 2007-03-28 08:57:48.144212 rule 85/0(match): pass in on dc0: 192.168.1.4.25 > 196.206.216.121.40718: S 884974271:884974271(0) ack 377431783 win 65535 <mss 1460,nop,wscale 1,[|tcp]> 4. 2007-03-28 08:57:48.144247 rule 55/0(match): pass out on dc1: 66.205.146.210.25 > 196.206.216.121.40718: S 884974271:884974271(0) ack 377431783 win 65535 <mss 1460,nop,wscale 1,[|tcp]> 5. 2007-03-28 08:57:50.811908 rule 55/0(match): pass in on dc1: 196.206.216.121.40718 > 192.168.1.4.25: . ack 1 win 65535 6. 2007-03-28 08:57:50.811938 rule 86/0(match): pass out on dc0: 196.206.216.121.40718 > 192.168.1.4.25: . ack 1 win 65535 7. 2007-03-28 08:57:51.352988 rule 85/0(match): pass in on dc0: 192.168.1.4.25 > 196.206.216.121.40718: P 1:48(47) ack 1 win 33370 8. 2007-03-28 08:57:51.353032 rule 55/0(match): pass out on dc1: 66.205.146.210.25 > 196.206.216.121.40718: P 1:48(47) ack 1 win 33370 and so on... The currently loaded relevant rules are: @55 pass in log-all on dc1 inet proto tcp from any to 192.168.1.4 port = smtp @84 pass out log-all quick on dc1 inet from 66.205.146.210 to any modulate state queue(std_out, ack_out) @85 pass in log on dc0 inet from 192.168.1.0/24 to any @86 pass out log on dc0 inet all In the above tcpdump output, I understand why entries 1-3 and 5-7 match the rules they match. However I do not understand entry number 4 or 8. Instead of matching rule 55, I would expect them to match rule 84. Then the only traffic I should see passing through the pf rule set would be entries 1-4 as when 4 matches rule 84, a state entry would be made and further matches would occur in the state table, eliminating entries 5-8 (and the rest). What am I missing? If it helps, I also posted my complete pf.conf and the rules to which it expands at http://drew.mykitchentable.net/Temp/pf.conf.htm Thanks, Drew -- Be a Great Magician! Visit The Alchemist's Warehouse http://www.alchemistswarehouse.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?460AA59C.2000704>