Re: Where did "from <__automatic_43ce223_0> come from?

Reply: Dave Horsfall : "Re: Where did "from <__automatic_43ce223_0> come from?"
Reply: mike tancsa : "Re: Where did "from <__automatic_43ce223_0> come from?"
In reply to: Dave Horsfall : "Where did "from <__automatic_43ce223_0> come from?"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Kristof Provost <kp_at_FreeBSD.org>
Date: Sat, 25 Feb 2023 20:22:09 UTC

On 26 Feb 2023, at 9:09, Dave Horsfall wrote:
> FreeBSD aneurin.horsfall.org 10.4-RELEASE-p13 FreeBSD 10.4-RELEASE-p13 
> #0: Thu Sep 27 09:21:23 UTC 2018     
> root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  i386
>
> (Yeah, I'll update soon, when I find a newer box)
>
> Seen in my daily security run output:
>
>     +block drop in quick inet from <__automatic_43ce223_0> to any [ 
> Evaluations: 7333 Packets: 4 Bytes: 240 States: 0 ]
>
> Obviously something created automatically (I don't have anything 
> faintly
> resembling that in my pf.conf), but how?
>

      set ruleset-optimization
            none      Disable the ruleset optimizer.
            basic     Enable basic ruleset optimization.  This is the 
default
                      behaviour.  Basic ruleset optimization does four 
things to
                      improve the performance of ruleset evaluations:

                      1.   remove duplicate rules
                      2.   remove rules that are a subset of another 
rule
                      3.   combine multiple rules into a table when 
advantageous
                      4.   re-order the rules to improve evaluation 
performance

            profile   Uses the currently loaded ruleset as a feedback 
profile to
                      tailor the ordering of quick rules to actual 
network
                      traffic.

            It is important to note that the ruleset optimizer will 
modify the
            ruleset to improve performance.  A side effect of the 
ruleset
            modification is that per-rule accounting statistics will 
have
            different meanings than before.  If per-rule accounting is 
important
            for billing purposes or whatnot, either the ruleset 
optimizer should
            not be used or a label field should be added to all of the 
accounting
            rules to act as optimization barriers.

            Optimization can also be set as a command-line argument to 
pfctl(8),
            overriding the settings in pf.conf.

That’d be case 3.

Kristof