If you have an anchor in your pf ruleset, a packet that matches a rule
with a log directive will reflect the rule number of the last anchor
definition instead of the rule that caused the logging.
My first rule in pf.conf is 'block log (all) all'. In 6.1, packets
matching the block rule will show rule 1 as the matching rule. Since 6.2
and in current (not sure when during 6.2's development this started) the
same blocked packet will show the rule number of the last anchor in the
ruleset as the matching rule.
This is what I expact, and do get when no anchor is defined:
root@portabsd:~$ pfctl -sr -R1
block return log (all) all
root@portabsd:~$ tcpdump -nettti pflog0 action block
tcpdump: WARNING: snaplen raised from 116 to 160
tcpdump: listening on pflog0, link-type PFLOG
Oct 11 20:43:58.834603 rule 1/(match) block in on iwm0: 192.168.1.3.5353 >
224.0.0.251.5353: 0 [17q][|domain]
Oct 11 20:43:58.837980 rule 1/(match) block in on iwm0:
fe80::8c2:5295:cd0e:f5e4.5353 > ff02::fb.5353: 0 [17q][|domain] [flowlabel
0x84d6b]
Oct 11 20:44:18.233207 rule 1/(match) block in on iwm0: 192.168.1.3.52286
> 192.168.1.15.445: S 176378676:176378676(0) win 65535 <mss
1460,nop,wscale 5,nop,nop,timestamp 2314135130 0,[|tcp]> (DF) [tos 0x10] ^C
3 packets received by filter
0 packets dropped by kernel
Add a bogus 'anchor "test"' to the bottom of pf.conf and reload. Hit the
system with blockable traffic again:
root@portabsd:~$ tcpdump -nettti pflog0 action block
tcpdump: WARNING: snaplen raised from 116 to 160
tcpdump: listening on pflog0, link-type PFLOG
Oct 11 20:44:50.038509 rule 43/(match) block in on iwm0: 192.168.1.3.52289
> 192.168.1.15.445: SWE 3438533119:3438533119(0) win 65535 <mss
1460,nop,wscale 5,nop,nop,timestamp 2314166871 0,[|tcp]> (DF) [tos 0x10] ^C
1 packets received by filter
0 packets dropped by kernel
root@portabsd:~$ pfctl -sr -R1
block return log (all) all
root@portabsd:~$ pfctl -sr -R 43
anchor "test" all
My cleaned up pf.conf used in the above reproductions:
wan_services = "{ http https pop3s imaps smtps whois 11371 ssh 53589 8008 }"
set skip on { lo enc }
match in all scrub (no-df random-id reassemble tcp)
set block-policy return
block log (all) all
antispoof quick for egress
vm_net = "{ 10.10.10.0/24 }"
match out on egress inet from $vm_net to any nat-to (egress:0)
pass in quick on vether0 from $vm_net to any
pass out quick proto { tcp udp } to 192.168.1.1 port 53
pass out quick proto tcp to any port { 6667 6697 } user irc
block out quick proto { udp tcp } user irc
pass out quick proto tcp to any port $wan_services
pass out quick proto { udp } to any port 123
pass quick proto udp to any port { 67 68 }
pass out quick proto icmp all
pass quick inet proto icmp all icmp-type unreach code needfrag
pass out quick proto udp to port 33433 >< 33626
block in quick from 192.168.1.1 to 224.0.0.1
vpn_dest = "{ xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx }"
pass in on egress proto esp from $vpn_dest to (self)
pass out on egress proto esp from (self) to $vpn_dest
pass in on egress proto udp from $vpn_dest to (self) port { isakmp
ipsec-nat-t }
pass out on egress proto udp from (self) to $vpn_dest port { isakmp
ipsec-nat-t }
pass in log quick proto tcp from 192.168.1.0/24 to (self) port ssh pass
quick on egress proto tcp to any port 22000
anchor "test"
