On Tue, 2004-08-31 at 19:31, cmustard wrote: > > are those the complete log entries? my log entries look more like > - no, i truncated, I was running tcpdump -neq -ttt -r /var/log/pflog > they were the 'standard/normal' entries: > Aug 31 01:20:15.287341 rule 1/0(match): block in on rl0: 69.42.74.50.80 > > 192.168.x.xxx.61265: P 4294966553:0(743) ack 1 win 5792 (DF) > Aug 31 01:20:15.287341 rule 1/0(match): block in on rl0: 69.42.xx.xx.80 > > 192.168.xx.x1.61265: P 4294966553:0(743) ack 1 win 5792 (DF) > etc,... > > > > > rule 0/0(match): block out on hme1: 10.1.1.15.139 > 10.1.2.16.32962: R > > 8:8(0) ack 1 win 58410 (DF) > > > > the reason i ask, is because all your rules use "flags S/SA" and "keep > > state" which; in the normal course of operation, create a lot of log > > entries where the flags are RST-ACK, FIN-ACK, etc... they are just > > trailing packets that arrive after the state entry has been removed... > > > -hmmm, so your saying just because I see a rule being matched it doesnt' > mean a packet is being blocked. it may be matching flags S/SA but is > still passing in to the interface, cool, I haden't thought of that, > thanks. > that's what I get using rules I don't really understand yet,... :)
actually, what i was saying is: when you use "flags S/SA keep state" *only* a packet with the SYN bit (out of SYN, ACK) can match the rule and create a state. those states are also interface-bound (if you specify an interface), and once that state is removed, any packets lagging behind the closing of that connection will be blocked by your default rule because they don't match anything else and have no state associated with them. generally, these will be FIN-ACK, RST-ACK, or PSH-ACK packets. here's the rules i try to follow with respect keeping state, either: don't specify interfaces when keeping state, or only keep state on one interface (usually the external) -j =~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~ If God had intended Man to Smoke, He would have set him on Fire. =~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~
