TLDR add log to the rules, then start pflog,use wireshark or tcpdump on the pflog interface and you can see exactly which rule is applied to that packet.
On Tue, 3 Dec 2019, at 08:05, Victor Sudakov wrote: > Morgan Wesström wrote: > > > > - Your initial telnet SYN will create state on $inside through rule 3. > > - There should be no state created on $dmz. > > - Your SYN+ACK reply and further replies will be passed by pf's default > > pass behaviour on $dmz. > > OK, let's forget about TCP flags entirely. Let's consider a simple ICMP ping. > > 1. Here is the picture without the "block..." rule: > > root@inside:~ # ping dmz.test > PING dmz.test (172.16.1.10): 56 data bytes > 64 bytes from 172.16.1.10: icmp_seq=0 ttl=63 time=0.532 ms > 64 bytes from 172.16.1.10: icmp_seq=1 ttl=63 time=1.655 ms > 64 bytes from 172.16.1.10: icmp_seq=2 ttl=63 time=1.682 ms > 64 bytes from 172.16.1.10: icmp_seq=3 ttl=63 time=1.477 ms > 64 bytes from 172.16.1.10: icmp_seq=4 ttl=63 time=1.626 ms > > root@fw:~ # pfctl -s rules ; echo ; pfctl -s state > pass in on vtnet1 all flags S/SA keep state > pass in on vtnet2 all flags S/SA keep state > > all icmp 172.16.1.10:1283 <- 192.168.10.3:1283 0:0 > all icmp 192.168.10.3:1283 <- 172.16.1.10:1283 0:0 > root@fw:~ # > > 2. Here is the picture with the "block..." rule uncommented: > > root@inside:~ # ping dmz.test > PING dmz.test (172.16.1.10): 56 data bytes > (no reply) > > root@fw:~ # pfctl -s rules ; echo ; pfctl -s state > pass in on vtnet1 all flags S/SA keep state > block drop in on vtnet1 inet from any to 192.168.0.0/16 > pass in on vtnet2 all flags S/SA keep state > > all icmp 172.16.1.10:8707 <- 192.168.10.3:8707 0:0 > root@fw:~ # > > > > > -- > Victor Sudakov, VAS4-RIPE, VAS47-RIPN > 2:5005/49@fidonet http://vas.tomsk.ru/ > > Attachments: > * signature.asc -- — Dave Cottlehuber +43 67 67 22 44 78 Managing Director Skunkwerks, GmbH http://skunkwerks.at/ ATU70126204 Firmenbuch 410811i _______________________________________________ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
