Why Does This Packet Match This Rule?

Drew Tomlinson drew at mykitchentable.net
Wed Mar 28 17:54:50 UTC 2007 

I am having a heck of a time understanding how pf works and getting it 
to behave the way I want with my home network and ADSL connection.  
Basically I want to use ALTQ to prioritize traffic going out the 
interface connected to my ADSL modem.  Here's my network:

internal --- dc0 - FBSD router - dc1 --- ADSL

So I created a rule set and now I'm trying to watch it and figure out 
what is happening.  In watching the log, I capture this smtp transaction 
( I numbered each entry for reference):

1.
2007-03-28 08:57:48.143830 rule 55/0(match): pass in on dc1: 
196.206.216.121.40718 > 192.168.1.4.25: S 377431782:377431782(0) win 
65535 <mss 1420,nop,wscale 0,[|tcp]>

2.
2007-03-28 08:57:48.143892 rule 86/0(match): pass out on dc0: 
196.206.216.121.40718 > 192.168.1.4.25: S 377431782:377431782(0) win 
65535 <mss 1420,nop,wscale 0,[|tcp]>

3.
2007-03-28 08:57:48.144212 rule 85/0(match): pass in on dc0: 
192.168.1.4.25 > 196.206.216.121.40718: S 884974271:884974271(0) ack 
377431783 win 65535 <mss 1460,nop,wscale 1,[|tcp]>

4.
2007-03-28 08:57:48.144247 rule 55/0(match): pass out on dc1: 
66.205.146.210.25 > 196.206.216.121.40718: S 884974271:884974271(0) ack 
377431783 win 65535 <mss 1460,nop,wscale 1,[|tcp]>

5.
2007-03-28 08:57:50.811908 rule 55/0(match): pass in on dc1: 
196.206.216.121.40718 > 192.168.1.4.25: . ack 1 win 65535

6.
2007-03-28 08:57:50.811938 rule 86/0(match): pass out on dc0: 
196.206.216.121.40718 > 192.168.1.4.25: . ack 1 win 65535

7.
2007-03-28 08:57:51.352988 rule 85/0(match): pass in on dc0: 
192.168.1.4.25 > 196.206.216.121.40718: P 1:48(47) ack 1 win 33370

8.
2007-03-28 08:57:51.353032 rule 55/0(match): pass out on dc1: 
66.205.146.210.25 > 196.206.216.121.40718: P 1:48(47) ack 1 win 33370

and so on...

The currently loaded relevant rules are:
@55 pass in log-all on dc1 inet proto tcp from any to 192.168.1.4 port = 
smtp
@84 pass out log-all quick on dc1 inet from 66.205.146.210 to any 
modulate state queue(std_out, ack_out)
@85 pass in log on dc0 inet from 192.168.1.0/24 to any
@86 pass out log on dc0 inet all

In the above tcpdump output, I understand why entries 1-3  and 5-7 match 
the rules they match.  However I do not understand entry number 4 or 8.  
Instead of matching rule 55, I would expect them to match rule 84.  Then 
the only traffic I should see passing through the pf rule set would be 
entries 1-4 as when 4 matches rule 84, a state entry would be made and 
further matches would occur in the state table, eliminating entries 5-8 
(and the rest).  What am I missing?

If it helps, I also posted my complete pf.conf and the rules to which it 
expands at http://drew.mykitchentable.net/Temp/pf.conf.htm

Thanks,

Drew

-- 
Be a Great Magician!
Visit The Alchemist's Warehouse

http://www.alchemistswarehouse.com

More information about the freebsd-pf mailing list