Hello fellow pf group,
Been about a month since I have been testing --current at work,
But I have been following all of the hard work you guys have done - truly
impressive. I started testing again on Thursday of last week starting with
the latest snapshot then moving to --current as I found a few things in
the pf that didn't seem to jive when I migrated my config back to
--current from stable (some modulate/keep state + queue didn't seem
right), anyway after CVS to -current everything is working cool except I
still get a interesting output when using tcpdump against the pflog0 int
(this followed me from snapshot BTW).
If you notice it shows packets getting blocked but doesn't say "block" but
does say pass when a rule is matched to "pass". I looked through my rules
and then added a "set block-policy drop" (I had "set block-policy return)
to see if this would change the output. It didn't - so I figured I would
see if anyone else is seeing this issue? or has any thoughts as to where I
would have gone wrong with this?
OpenBSD 3.2-current (GENERIC) #0: Fri Jan 24 21:38:23 EST 2003
13:07:16.399493 rule 1/0(match): in on dc0: 1.1.1.1 > 2.2.2.2: icmp: echo request
(id:7101 seq:16) (DF) (ttl 63, id 0, bad cksum 0!)
13:07:17.399609 rule 1/0(match): in on dc0: 1.1.1.1 > 2.2.2.2: icmp: echo request
(id:7101 seq:17) (DF) (ttl 63, id 0, bad cksum 0!)
13:10:31.172278 rule 33/0(match): pass in on de0: 1.1.1.1.35792 > 10.0.1.250.22: S
[tcp sum ok] 3697236202:3697236202(0) win 5840 <mss 1380,sackOK,timestamp 664934544
0,nop,nop,nop,nop> (DF) (ttl 64, id 57559)
13:10:33.883289 rule 98/0(match): pass out on de0: 10.0.1.250.35004 > x.x.x.x.53:
[udp sum ok] 43315+ PTR? x.xx.xxx.xxx.in-addr.arpa. (44) (ttl 64, id 6570)
13:27:04.926251 rule 5/0(match): in on dc0: 65.124.16.109.1555 > 3.3.3.3.1434: udp
376 (ttl 120, id 28259, bad cksum 0!)
set block-policy drop
@1 block drop in log on dc0 all label "block in on ext-Bridge0:default deny"
@5 block return-icmp(port-unr, port-unr) in log on dc0 proto udp all label "block
return-icmp in ext-Bridge0: default deny udp"
@33 pass in log quick on de0 inet proto tcp from 216.255.50.36 to 10.0.1.250 port =
ssh flags S/SA keep state label "permit from man_hosts to man_ip:22"
@98 pass out log on de0 inet proto udp from any to any port = domain keep state label
"loggin of DNS request from man_if"
TIA
Jason Houx
