Date: Mon, 1 May 2006 23:00:01 +0400 From: "Dmitry Andrianov" <dimas@dataart.com> To: <freebsd-pf@freebsd.org> Subject: should tcpdump see blocked packets? Message-ID: <D5972F49810A69449A9EA72A4B360DC2D0A07B@e1.universe.dart.spb>
next in thread | raw e-mail | index | archive | help
Hello all. =20 I was under impression that tcpdump on any interface should NOT see incoming packets which are blocked by pf rules - these packets should only appear on pflog0 interface (and only if logged explicitly by "block log"/"pass log" rule). =20 But right now I see that tcpdump -pni em0 (where em0 is my DMZ interface) actually sees packets which should not be there (because they are blocked)! Interesting enough, these packets are also visible with tcpdump -pni pflog0. Since I do not have a single "pass + log" rule in my ruleset, only the "block + log" ones, the only explanation I see is that tcpdump sees packets on em0 before they processed by pf. This worries me because for other interfaces tcpdump does not see blocked traffic. I wonder why this happens. =20 Regards, Dmitry Andrianov =20
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?D5972F49810A69449A9EA72A4B360DC2D0A07B>