pf and short packets

dawnshade dawnshade at mail.ru
Wed Oct 26 02:06:45 PDT 2005 

On Wednesday 26 October 2005 12:41, Anton Nikiforov wrote:
> dawnshade wrote:
> > On Wednesday 26 October 2005 12:08, Anton Nikiforov wrote:
> >> On Tuesday 25 October 2005 23:21, Anton Nikiforov wrote:
> >>>>tcpdump -n -e -ttt -x -i pflog0 host 127.0.0.1
> >>>>000034 rule 0/3(short): pass out on lo0: IP 127.0.0.1.514 >
> >>>>127.0.0.1.643: . ack 30 win 65535
> >>>>        0x0000:  4600 002c 6605 4000 0306 11c5 7f00 0001
> >>>> F..,f. at ......... 0x0010:  7f00 0001 0100 0000 0202 0283 8129 5dab
> >>>> .............)]. 0x0020:  5db7 f2f2 5010 ffff 7dce 0000
> >>>> ]...P...}... 000034 rule 0/3(short): pass out on lo0: IP 127.0.0.1.514
> >>>>
> >>>>127.0.0.1.643: . ack 30 win 65535
> >>>>        0x0000:  4600 002c d21d 4000 0306 a5ac 7f00 0001
> >>>> F..,.. at ......... 0x0010:  7f00 0001 0100 0000 0202 0283 8129 5dab
> >>>> .............)]. 0x0020:  5db7 f2f2 5010 ffff 7dce 0000
> >>>> ]...P...}...
> >>>>
> >>>>The rule for this packet is not a "log" one, but the sign (short) is
> >>>>what i cannot understand.
> >>>
> >>>Read 'man 1 tcpdump' about key "-s".
> >>>You command must be like "tcpdump -s 1000 -n -e -ttt -x -i pflog0 host
> >>>127.0.0.1"
> >>>
> >>>Change value 1000 to appropriate.
> >>
> >>Hi, and thanks for the replay,
> >>but my question is not about how to use tcpdump (i know -s key), but
> >>what to do with pf to make this packets pass through.
> >>When my pf is up i cannot rsh to ipcad, but when it is down - everything
> >>is working just fine.
> >>I need this rsh to get my ip statistics.
> >
> > sorry, i misunderstand you.
> > can you provide output 'pfctl -sr -g' (at leat sensitive rules before
> > number 34)
>
> Hello and thanks again for the replay.
> Here is the output of pfctl -sr -g.
> @0 scrub in all fragment reassemble
>    [ Skip steps: i=end f=end p=end sa=end sp=end da=end dp=end ]
>    [ queue: qname= qid=0 pqname= pqid=0 ]
> @1 scrub out all random-id fragment reassemble
>    [ Skip steps: i=end d=end f=end p=end sa=end sp=end da=end dp=end ]
>    [ queue: qname= qid=0 pqname= pqid=0 ]
> @0 pass quick on lo0 all
>    [ Skip steps: p=4 sp=802 da=2 dp=17 ]
>    [ queue: qname= qid=0 pqname= pqid=0 ]
> I was "playing" with this rule and used to install it in different ways
> and places. I have no idea what to do with this.
> I was turning off scrubbing, everything beloew. With no result.
>
> All the rest is not about lo0, but here they are (34 out of 9849):
>
> @1 block drop in quick inet from 192.168.11.1 to any
> @2 block drop in log quick on fxp0 inet from any to 224.0.0.0/3
> @3 block drop out log quick on fxp0 inet from 224.0.0.0/3 to any
> @4 block drop in log quick on fxp0 inet proto tcp all flags FPU/FPU
> @5 block drop in log quick on fxp0 inet proto tcp all flags FS/FSRA
> @6 block drop in log quick on fxp0 inet proto tcp all flags /FSRA
> @7 block drop in log on fxp0 proto tcp all
> @8 block drop in log on fxp0 proto udp all
> @9 block drop out log on fxp0 proto tcp all
> @10 block drop out log on fxp0 proto udp all
> @11 block drop in log on fxp0 proto icmp all
> @12 block drop out log on fxp0 proto icmp all
> @13 block return-rst in log on fxp0 proto tcp all
> @14 block return-rst out log on fxp0 proto tcp all
> @15 block return-icmp(port-unr, port-unr) in log on fxp0 proto udp all
> @16 block return-icmp(port-unr, port-unr) out log on fxp0 proto udp all
> @17 block drop in log on fxp0 proto tcp from any to any port = pop3
> @18 block drop in log on fxp0 proto tcp from any to any port = loc-srv
> @19 block drop in log on fxp0 proto tcp from any to any port = profile
> @20 block drop in log on fxp0 proto tcp from any to any port = netbios-ns
> @21 block drop in log on fxp0 proto tcp from any to any port = netbios-dgm
> @22 block drop in log on fxp0 proto tcp from any to any port = netbios-ssn
> @23 block drop in log on fxp0 proto tcp from any to any port = microsoft-ds
> @24 block drop in log on fxp0 proto udp from any to any port = pop3
> @25 block drop in log on fxp0 proto udp from any to any port = loc-srv
> @26 block drop in log on fxp0 proto udp from any to any port = profile
> @27 block drop in log on fxp0 proto udp from any to any port = netbios-ns
> @28 block drop in log on fxp0 proto udp from any to any port = netbios-dgm
> @29 block drop in log on fxp0 proto udp from any to any port = netbios-ssn
> @30 block drop in log on fxp0 proto udp from any to any port = microsoft-ds
> @31 block drop out log on fxp0 proto tcp from any to any port = pop3
> @32 block drop out log on fxp0 proto tcp from any to any port = loc-srv
> @33 block drop out log on fxp0 proto tcp from any to any port = profile
> @34 block drop out log on fxp0 proto tcp from any to any port = netbios-ns
>
> Just in case:
> # pfctl -sr -g | grep lo0
> @0 pass quick on lo0 all

maybe this link help you.: 
http://groups.google.com/group/fido7.ru.unix.bsd/msg/187bf3d7de6e3eab?dmode=source

Sorry to other subscribers  - it in russian.
short fix problem: replace 'pass quick all lo0' to 'pass qucik all allow-opts 
lo0'

More information about the freebsd-stable mailing list