Re: Dumb pf.conf question
- In reply to: George Mitchell : "Dumb pf.conf question"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sat, 04 Jun 2022 21:35:45 UTC
On 6/4/22 13:05, George Mitchell wrote:
> Due to an execss (to put it politely) of packets originating from
> IPv4-address-that-shall-not-be-mentioned, I decided to fix up my
> pf.conf file, which in very general terms looks like this:
>
> (a bunch of macro definitions: ext_if = external interface,
> int_if = internal interface, internal_ipv6 = 2001:xxxx:yyyy:zzzz::/120,
> internal_net = 10.0.0.0/8)
> (a couple of table definitions)
> (no options, traffic normalization, or queueing)
>
> scrub in all
> nat on $ext_if from $internal_net to any -> ($ext_if)
>
> (a bunch of rdr statements, none of which contain "quick")
>
> block all
> pass quick on lo0
> pass quick on $int_if
>
> pass quick from $internal_ipv6
> pass quick to $internal_ipv6
>
> #nuisance ssh logins
> block quick on $ext_if from (nasty address)
>
> (lots more packet filtering rules that work)
>
> But that next-to-last line is not stopping packets from nasty address.
> What did I do wrong?
I don't have a solution but let me suggest a strategy; normally I add
"log" too all block rules so I can use tcpdump to to tell me what I'm
blocking, e.g:
tcpdump -ent -i pflog0
-e is particuarlly cool because it reports details such as rule number
and interface.
Bit if instead you add "log" to all of your "pass" rules, you might be
able to identify the rule that's passing the undesired packets, e.g:
tcpdump -ent -i pflog0 host badguy
Craig