Hi,
I've three questions.
1) regarding "tcpdump -nettti pflog0" output.
How do have to interpret the "rule 15" sample output of tcpdump below?
Sample
Oct 07 15:12:02.352998 rule 15/(match) block in on fxp0: x.x.x.x.18227 >
x.x.x.x.80: S 63197884:63197884(0) win 65535 <mss 1460,nop,wscale
0,[|tcp]>
I had a look at my rules with pfctl -sr, here is rule 15:
block drop quick on fxp1 inet proto udp from <all-localnets> to any port
= netbios-dgm label "15"
FOR INFO, I'm using the "$nr" label macro to get the rule number!
2a) Is there a specific option available for pfctl to show the rule
number, or another tool?
2b) Is: label "$nr" the only method to display the line number?
Many thanks
Didier
Here is the output of "pfctl -sr":
scrub in all fragment reassemble
scrub out on fxp0 all random-id fragment reassemble
block drop quick inet6 all label "2"
block drop log quick from <hostile> to any label "3"
block drop log quick from <reserved> to any label "4"
block drop quick on fxp2 inet proto tcp from <all-localnets> to any port
= netbios-ns label "5"
block drop quick on fxp2 inet proto tcp from <all-localnets> to any port
= netbios-dgm label "6"
block drop quick on fxp2 inet proto tcp from <all-localnets> to any port
= netbios-ssn label "7"
block drop quick on fxp2 inet proto udp from <all-localnets> to any port
= netbios-ns label "8"
block drop quick on fxp2 inet proto udp from <all-localnets> to any port
= netbios-dgm label "9"
block drop quick on fxp2 inet proto udp from <all-localnets> to any port
= netbios-ssn label "10"
block drop quick on fxp1 inet proto tcp from <all-localnets> to any port
= netbios-ns label "11"
block drop quick on fxp1 inet proto tcp from <all-localnets> to any port
= netbios-dgm label "12"
block drop quick on fxp1 inet proto tcp from <all-localnets> to any port
= netbios-ssn label "13"
block drop quick on fxp1 inet proto udp from <all-localnets> to any port
= netbios-ns label "14"
block drop quick on fxp1 inet proto udp from <all-localnets> to any port
= netbios-dgm label "15"
block drop quick on fxp1 inet proto udp from <all-localnets> to any port
= netbios-ssn label "16"
block drop log-all all label "17"
anchor "ftpsesame/*" all
pass inet proto icmp all icmp-type echoreq keep state label "19"
pass quick on lo0 all label "20"
pass out quick on fxp2 inet from 10.0.43.135 to any keep state label
"21"
pass out quick on fxp2 inet6 from fe80::290:27ff:fe9d:6df4 to any keep
state label "22"
pass quick inet proto tcp from 10.0.43.189 to 10.0.43.135 port = ssh
modulate state label "23"
pass quick inet proto tcp from 10.202.9.3 to 10.0.43.135 port = ssh
modulate state label "24"
pass quick inet proto tcp from <networks> to <localnet> port = ssh
modulate state label "25"
pass inet proto tcp from any to 10.3.58.18 port = smtp modulate state
label "26"
pass inet proto tcp from any to 10.3.58.18 port = smtps modulate state
label "27"
pass inet proto tcp from any to 10.3.58.18 port = https modulate state
label "28"
pass inet proto tcp from any to 10.3.58.18 port = pop3s modulate state
label "29"
pass inet proto tcp from any to 10.3.58.18 port = imaps modulate state
label "30"
pass inet proto tcp from <localnet> to any port = smtp modulate state
label "31"
pass inet proto tcp from <localnet> to any port = ftp modulate state
label "32"
pass inet proto tcp from <localnet> to any port = ssh modulate state
label "33"
pass inet proto tcp from <localnet> to any port = www modulate state
label "34"
pass inet proto tcp from <localnet> to any port = https modulate state
label "35"
pass inet proto tcp from <localnet> to any port = cvsup modulate state
label "36"
pass inet proto tcp from <localnet> to any port = 13499 modulate state
label "37"
pass inet proto tcp from <localnet> to any port = nntp modulate state
label "38"
pass inet proto udp from <localnet> to any port = ntp keep state label
"39"
pass inet proto udp from <localnet> to any port = domain keep state
label "40"
pass inet proto udp from <localnet> to any port = 5999 keep state label
"41"
Here is pf.conf:
#DEFAULT BLOCK
block quick inet6 all label "$nr"
block log quick from <hostile> label "$nr"
block log quick from <reserved> label "$nr"
block quick on { $net_if, $int_if } inet proto { tcp, udp } from \
{ <all-localnets> } to any port { 137,138,139 } label "$nr"
block log-all all label "$nr"
anchor "ftpsesame/*" label "$nr"
#ICMP
pass inet proto icmp all icmp-type echoreq keep state label "$nr"
#LOOPBACK
pass quick on lo0 all label "$nr"
#SECURE NET
pass out quick on $net_if from $net_if keep state label "$nr"
pass quick inet proto tcp from { lucy, 10.202.9.3 } to $net_if \
port ssh modulate state label "$nr"
pass quick inet proto tcp from <networks> to <localnet> port ssh \
modulate state label "$nr"
#TO SERVER
pass inet proto tcp from any to $srv port { smtp, smtps, \
https, pop3s, imaps } modulate state label "$nr"
#INTERNAL TRAFFIC
pass inet proto tcp from <localnet> to any port { smtp, ftp, ssh, www, \
https, cvsup, 13499, nntp } modulate state label "$nr"
pass inet proto udp from <localnet> to any port { ntp, domain, cvsup } \
keep state label "$nr"
