should tcpdump see blocked packets?

[Vlad GALU]

On 5/1/06, Dmitry Andrianov <dimas at dataart.com> wrote:
> Hello all.
>
> I was under impression that tcpdump on any interface should NOT see
> incoming packets which are blocked by pf rules - these packets should
> only appear on pflog0 interface (and only if logged explicitly by "block
> log"/"pass log" rule).
>
> But right now I see that tcpdump -pni em0 (where em0 is my DMZ
> interface) actually sees packets which should not be there (because they
> are blocked)! Interesting enough, these packets are also visible with
> tcpdump -pni pflog0. Since I do not have a single "pass + log" rule in
> my ruleset, only the "block + log" ones,  the only explanation I see is
> that tcpdump sees packets on em0 before they processed by pf. This
> worries me because for other interfaces tcpdump does not see blocked
> traffic. I wonder why this happens.
>

   Because of the bpf hooks in each driver. This is the expected behaviour.

> Regards,
> Dmitry Andrianov
>
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>


--
If it's there, and you can see it, it's real.
If it's not there, and you can see it, it's virtual.
If it's there, and you can't see it, it's transparent.
If it's not there, and you can't see it, you erased it.