On Tue, Sep 09, 2008 at 09:20:20AM +0400, Dmitry Rybin wrote: > === pf.conf === > ext_if="bge0" > > block in quick from <dnsflood> > pass out > pass in > === pf.conf === > # pfctl -f > # pfctl -t dnsflood -Tadd 78.107.71.38 > # pfctl -t dnsflood -Tadd 89.179.195.34 > # pfctl -t dnsflood -Tshow > 78.107.71.38 > 89.179.195.34 > > and so on. > # pfctl -k 78.107.71.38 > killed 1 states from 1 sources and 0 destinations > [EMAIL PROTECTED] /opt/home/kirgudu]# tcpdump -ibge0 -p -n host 78.107.71.38 > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on bge0, link-type EN10MB (Ethernet), capture size 96 bytes > 09:12:37.260545 IP 78.107.71.38.46316 > 195.14.50.21.53: 21852+ TXT? > 170.225.6.117.bl.spamcop.net. (46) > 09:12:37.812533 IP 78.107.71.38.46317 > 195.14.50.21.53: 52423+ PTR? > 142.220.10.10.in-addr.arpa. (44) > 09:12:38.838395 IP 195.14.50.21.53 > 78.107.71.38.42859: 13664 ServFail > 0/0/0 (46) > 09:12:38.838420 IP 195.14.50.21.53 > 78.107.71.38.42859: 6698 ServFail 0/0/0 > (46) > 09:12:39.028347 IP 78.107.71.38.46318 > 195.14.50.21.53: 3221+ PTR? > 109.220.10.10.in-addr.arpa. (44) > 09:12:39.492471 IP 78.107.71.38.46319 > 195.14.50.21.53: 1887+ PTR? > 57.63.8.58.in-addr.arpa. (41) > > # pfctl -s state|grep 78.107.71.38 > all udp 195.14.50.21:53 -> 78.107.71.38:42859 MULTIPLE:MULTIPLE > > DNS service replying to the blocked host. > > # pfctl -s rules > block drop quick in on bge0 inet from <dnsflood> to any > pass in all flags S/SA keep state > pass out all flags S/SA keep state
Hmm, it appears that even with the "block" rule in place, and all previous state table entries flushed, the packet is somehow making it through. Does "pfctl -T show -t dnsflood -v" shows any hits for In/Block hits on the table entry for 78.107.71.38? (I doubt it, but I want to make sure). Only two ideas I have left: 1) Are you *absolutely sure* the packets are arriving on bge0 and not some other interface? 2) Is pf processing even enabled? pfctl -s info | head -1 Also, you removed the freebsd-pf mailing list from your response to me. I don't know why, so I've re-added it. If none of the above helps, then I'm out of ideas and David or Max will have to assist in figuring out the root cause. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"