should tcpdump see blocked packets?
Dmitry Andrianov
dimas at dataart.com
Mon May 1 19:01:26 UTC 2006
Hello all.
I was under impression that tcpdump on any interface should NOT see
incoming packets which are blocked by pf rules - these packets should
only appear on pflog0 interface (and only if logged explicitly by "block
log"/"pass log" rule).
But right now I see that tcpdump -pni em0 (where em0 is my DMZ
interface) actually sees packets which should not be there (because they
are blocked)! Interesting enough, these packets are also visible with
tcpdump -pni pflog0. Since I do not have a single "pass + log" rule in
my ruleset, only the "block + log" ones, the only explanation I see is
that tcpdump sees packets on em0 before they processed by pf. This
worries me because for other interfaces tcpdump does not see blocked
traffic. I wonder why this happens.
Regards,
Dmitry Andrianov
More information about the freebsd-pf
mailing list