* Martin Gignac <martin.gig...@gmail.com> [2015-02-24 14:46]: > 08:24:27.831052 rule 1/(match) pass in on vlan308: 10.120.108.2 > 224.0.0.1: > igmp query [tos 0xc0] [ttl 1] > 08:26:36.645149 rule 1/(match) pass in on vlan308: 10.120.108.2 > 224.0.0.1: > igmp query [tos 0xc0] [ttl 1] > > Two things which I don't understand: > > 1. Why is pflog0 showing packets for a rule (1:pass all flags S/SA) that > does not even have logging enabled?
pf forces a drop of some packets. I. e. those matching a state but failing the tcp sequence number against the window check, or with ip options set, or fragments if defrag is turned off (on by default) and there is no rule specifically matching fragments. since these have no rule to refer to, they refer to the default rule, which happens to be a pass one. and that pass is shown. can admittedly be misleading. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual & Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/