On May 18, 2006, at 5:59 PM, Daniel Hartmeier wrote:
On Thu, May 18, 2006 at 05:24:28PM -0400, Chad M Stewart wrote:
Status: Enabled for 0 days 02:05:34 Debug: Urgent
The differences in the pfctl -si outputs look like it MUST be a block
rule without 'log' matching those packets, after all.
The grep in your /etc/pf.conf might have been incomplete for two
reasons:
a) you're using 'antispoof', which expands to multiple block
rules, depending on the networks assigned to the interfaces.
For kicks I commented out 'antispoof' and reloaded the rule set. Ah
ha, now things are being logged and another issue resolved itself as
well. My default is return not drop. I was not seeing 'connection
refused' when I tried my test, instead I was left waiting for the
attempt to timeout. After removing antispoof return now works too.
with antispoof in place
# pfctl -sr |grep block
block return in log all
block drop in on ! rl0 inet from 172.16.10.0/24 to any
block drop in inet from 172.16.10.1 to any
block drop in on ! rl1 inet from 192.168.1.0/24 to any
block drop in inet from 192.168.1.45 to any
block drop in on ! rl2 inet from 172.16.30.0/24 to any
block drop in inet from 172.16.30.2 to any
block drop in on ! carp0 inet from 24.97.84.32/29 to any
block drop in inet from 24.97.84.33 to any
block drop in on ! carp1 inet from 192.168.1.0/24 to any
block drop in inet from 192.168.1.1 to any
block return log quick inet proto tcp from <ssh-denied> to
192.168.1.6 port = ssh label "accessive-ssh"
#
antispoof removed
# pfctl -sr |grep block
block return in log all
block return log quick inet proto tcp from <ssh-denied> to
192.168.1.6 port = ssh label "accessive-ssh"
#
Ah, now I think I'm seeing why.
May 18 18:05:39.296139 rule 0/(match) block in on rl0:
24.97.84.35.38390 > 24.97.84.33.43: [|tcp] (DF) [tos 0x10]
The antispoof rule says a packet arriving within the 24.97.84.32/29
subnet (of which 24.97.84.35 is) that is not coming in on carp0 is to
be dropped. The log clearly shows the packet coming in on rl0, which
is the physical interface associated with carp0. Placing 'antispoof
for carp0 inet' in the rules file, brings back the non logging
behavior. Perhaps it is just my tired brain but it seems strange
that in other rules carp0 is used as the incoming interface.
hostname.carp0
vhid 1 pass foobar advskew 100 carpdev rl0 24.97.84.33 netmask
255.255.255.248
hostname.carp1
vhid 2 pass foo advskew 100 carpdev rl1 192.168.1.1 255.255.255.0
hostname.rl0
inet 172.16.10.1 255.255.255.0
!ifconfig rl0 description WAN
hostname.rl1
inet 192.168.1.45 255.255.255.0
!ifconfig rl1 description LAN
hostname.rl2
inet 172.16.30.2 255.255.255.0
!ifconfig pfsync0 syncdev rl2
!ifconfig rl2 description "Admin"
-Chad
