On Mon, Nov 17, 2003 at 11:02:45PM -0600, Andrew Eaton wrote: > anchor authpf > > block drop in log quick from any to <blocks> > block drop in log quick from <blocks> to any > > pfctl -a authpf -s rules shows:(user logged in) > pass in log quick inet proto tcp from 172.16.8.71 to any keep state > pass in log quick inet proto udp from 172.16.8.71 to any keep state > > That 172 address is my address. Yet none of the traffic seems to > hit anchor. All that traffic hits the second block statement used for > testing according to tcpdump.
One explanation would be that the traffic is not plain IPv4 TCP or UDP, but something encapsulated. If so, it wouldn't match the user's rule in the anchor (which specifies 'inet proto tcp/udp') but match the subsequent block rule (which doesn't restrict protocol to tcp/udp). Run tcpdump -s 256 -nvvvXi and quote one of the blocked packets, including the hexdump of the packet. It's sometimes hard to spot encapsulation in tcpdump output, as it automatically prints the inner header. The hexdump will show the complete packet, with the outermost header, relevant for pf. Daniel
