Date: Sat, 18 Nov 2017 12:20:27 +1100 (EST) From: Dave Horsfall <dave@horsfall.org> To: FreeBSD PF List <freebsd-pf@freebsd.org> Subject: Why is PF rejecting these connections? Message-ID: <alpine.BSF.2.21.1711181201020.780@aneurin.horsfall.org>
next in thread | raw e-mail | index | archive | help
I have PF (FreeBSD 10.4) configured to drop suspicious packets e.g. those
claiming to be ACKs for non-existent connections etc, but I'm seeing some
weirdness in the logs. Now, I sort of inherited the configuration and
don't fully understand each directive, but if it works for someone I
trust, well...
Anyway, here are some sample log entries:
23:15:37.755870 IP host90-45-237-212.serverdedicati.aruba.it.34944 > aneurin.kfu.smtp: Flags [S], seq 4161201091, win 14600, options [mss 1460,sackOK,TS[|tcp]>
23:15:40.755278 IP host90-45-237-212.serverdedicati.aruba.it.34944 > aneurin.kfu.smtp: Flags [S], seq 4161201091, win 14600, options [mss 1460,sackOK,TS[|tcp]>
[...]
23:52:02.768939 IP rdns1.mailinfo.ga.43128 > aneurin.kfu.smtp: Flags [S], seq 1022514539, win 14600, options [mss 1460,sackOK,TS[|tcp]>
23:52:18.768869 IP rdns1.mailinfo.ga.43128 > aneurin.kfu.smtp: Flags [S], seq 1022514539, win 14600, options [mss 1460,sackOK,TS[|tcp]>
Etc; the common theme appears to be those options whose purpose I don't
quite grok, but are presumably legal in this context.
The relevant lines from my pf.conf seem to be:
set block-policy drop
set loginterface egress
#set ruleset-optimization basic
scrub in
block all
pass out quick all keep state
antispoof log quick for $ext_if inet
[ Sundry pass/block rules ]
So, why is PF complaining about those packets? The finer points of TCP
options notwithstanding, they seem OK to me... Remember: I inherited most
of the configuration file, so I don't necessarily understand it.
Thanks.
--
Dave Horsfall DTM (VK2KFU) "Those who don't understand security will suffer."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.21.1711181201020.780>