Hi On my machine with FreeBSD 6.2-STABLE #4 I noticed there are outgoing packets from net 192.168.0.0/16 on external interface
Some details:
Here 1 < a,b,c,d,e,f < 254
~> ifconfig internal
internal: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=4b<RXCSUM,TXCSUM,VLAN_MTU,POLLING>
inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
ether 00:04:23:b0:53:ca
media: Ethernet autoselect (1000baseTX <full-duplex>)
status: active
~> ifconfig external
external: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=48<VLAN_MTU,POLLING>
inet a.b.c.22 netmask 0xfffffffc broadcast a.b.c.23
ether 00:02:b3:4c:83:6e
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
~> grep -v '^#' /etc/pf.conf | grep mynet
table <mynet> { 192.168.0.0/16, 172.16.0.0/16 }
~> sudo pfctl -s a | less
No ALTQ support in kernel
ALTQ related functions disabled
TRANSLATION RULES:
nat on external inet from <mynet> to ! <mynet> -> a.b.d.240/28 bitmask
rdr on external inet proto tcp from any to a.b.e.1 port = ftp -> 192.168.0.2
port 21
rdr on external inet proto udp from any to a.b.e.1 port = 4127 -> 192.168.0.2
port 4127
rdr on external inet proto tcp from any to a.b.e.1 port = 4899 -> 192.168.0.2
port 4899
rdr on external inet proto tcp from any to a.b.c.22 port = 4022 -> 172.16.56.57
port 22
FILTER RULES:
pass in all
pass out all
pass out quick on external inet from a.b.c.20/30 to any
pass out quick on external inet from a.b.d.224/27 to any
pass out quick on external inet from a.b.e.0/24 to any
block drop out on external all
STATES:
#a lot of states
INFO:
Status: Enabled for 0 days 11:06:40 Debug: Urgent
Hostid: 0x2055eb8b
State Table Total Rate
current entries 4182
searches 250779576 6269.5/s
inserts 1877065 46.9/s
removals 1872883 46.8/s
Counters
match 165990128 4149.8/s
bad-offset 0 0.0/s
fragment 15 0.0/s
short 2 0.0/s
normalize 0 0.0/s
memory 0 0.0/s
bad-timestamp 0 0.0/s
congestion 0 0.0/s
ip-option 4550 0.1/s
proto-cksum 0 0.0/s
state-mismatch 6233 0.2/s
state-insert 0 0.0/s
state-limit 0 0.0/s
src-limit 0 0.0/s
synproxy 0 0.0/s
TIMEOUTS:
tcp.first 30s
tcp.opening 5s
tcp.established 18000s
tcp.closing 60s
tcp.finwait 30s
tcp.closed 30s
tcp.tsdiff 10s
udp.first 60s
udp.single 30s
udp.multiple 60s
icmp.first 20s
icmp.error 10s
other.first 60s
other.single 30s
other.multiple 60s
frag 5s
interval 2s
adaptive.start 0 states
adaptive.end 0 states
src.track 0s
LIMITS:
states hard limit 50000
src-nodes hard limit 30000
frags hard limit 50000
TABLES:
mynet
OS FINGERPRINTS:
348 fingerprints loaded
Here I try to catch packets on external interface:
~> sudo tcpdump -ni external src net 192.168.0.0/16
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on external, link-type EN10MB (Ethernet), capture size 96 bytes
12:59:44.401906 IP 192.168.56.152.1090 > 64.12.31.180.5190: . ack 1528988903
win 0
12:59:44.401921 IP 192.168.12.43.60481 > 81.19.88.11.80: . ack 2815867423 win 0
12:59:44.401933 IP 192.168.46.101.1650 > 81.176.76.116.80: . ack 669974985 win 0
12:59:44.401946 IP 192.168.54.12.2124 > 194.145.212.35.80: . ack 2208596276 win 0
12:59:44.401958 IP 192.168.22.10.1510 > 194.67.45.129.80: . ack 1166126606 win 0
12:59:44.401971 IP 192.168.46.101.1652 > 81.19.80.2.80: . ack 1004425830 win 0
12:59:44.401983 IP 192.168.38.79.63441 > 66.102.11.164.80: . ack 1120457487 win 0
12:59:44.401995 IP 192.168.54.71.1578 > 87.248.217.79.80: . ack 2473371997 win 0
12:59:44.402022 IP 192.168.38.49.4183 > 65.54.195.188.80: . ack 964472648 win 0
12:59:44.402041 IP 192.168.42.90.60363 > 66.249.93.91.80: . ack 2862783680 win 0
12:59:44.402055 IP 192.168.46.46.58867 > 89.188.102.70.80: . ack 2523375288 win 0
12:59:44.402075 IP 192.168.38.16.1222 > 208.166.56.114.80: . ack 0 win 0
12:59:44.402087 IP 192.168.60.38.2050 > 66.235.180.76.8080: . ack 2443543023
win 0
12:59:49.400160 IP 192.168.42.124.1313 > 81.222.128.13.80: . ack 1468803329 win 0
12:59:49.400176 IP 192.168.42.124.1312 > 81.222.128.13.80: . ack 1482657113 win 0
12:59:49.400190 IP 192.168.42.124.1314 > 81.19.80.2.80: . ack 1518361964 win 0
12:59:49.400202 IP 192.168.42.124.1315 > 217.16.26.60.80: . ack 2295931572 win 0
12:59:49.400218 IP 192.168.22.10.1510 > 194.67.45.129.80: . ack 1 win 0
12:59:49.400229 IP 192.168.42.124.1311 > 81.222.128.13.80: . ack 1477893358 win 0
12:59:49.400242 IP 192.168.42.60.61035 > 203.75.40.14.21: . ack 2868867767 win 0
12:59:49.400255 IP 192.168.42.124.1309 > 194.67.23.108.80: . ack 2813951723 win 0
12:59:49.400269 IP 192.168.38.16.1311 > 88.85.78.58.80: . ack 3157990844 win 0
12:59:49.400281 IP 192.168.38.79.63441 > 66.102.11.164.80: . ack 1 win 0
12:59:49.400318 IP 192.168.11.118.2487 > 213.180.214.31.80: . ack 0 win 0
12:59:49.400331 IP 192.168.52.33.64997 > 193.192.41.2.80: . ack 69990011 win 0
12:59:49.400352 IP 192.168.24.16.1047 > 64.12.31.144.5190: . ack 2248286157 win 0
12:59:49.400371 IP 192.168.60.38.2057 > 66.235.180.76.8080: . ack 2458160570
win 0
12:59:49.400383 IP 192.168.38.16.1222 > 208.166.56.114.80: . ack 1 win 0
^C
28 packets captured
45864 packets received by filter
0 packets dropped by kernel
Why these packets weren't translated by pf nat rules or filtered by pf
block rule?
Note they appear once in five seconds. Tried to modify frag parameter,
but this didn't help. Also I noticed they all have ACK bit set.
Thank you.
--
mailto:[EMAIL PROTECTED]
pgpz949h3sLCj.pgp
Description: PGP signature
