FreeBSD 7.1-PRERELEASE Trouble

Jeremy Chadwick koitsu at FreeBSD.org
Tue Sep 9 06:10:49 UTC 2008 

On Tue, Sep 09, 2008 at 09:20:20AM +0400, Dmitry Rybin wrote:
> === pf.conf ===
> ext_if="bge0"
> 
> block in quick from <dnsflood>
> pass out
> pass in
> === pf.conf ===
> # pfctl -f
> # pfctl -t dnsflood -Tadd 78.107.71.38
> # pfctl -t dnsflood -Tadd 89.179.195.34
> # pfctl -t dnsflood -Tshow
> 78.107.71.38
> 89.179.195.34
> 
> and so on.
> # pfctl -k 78.107.71.38
> killed 1 states from 1 sources and 0 destinations
> [root at earth /opt/home/kirgudu]# tcpdump -ibge0 -p -n host 78.107.71.38
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on bge0, link-type EN10MB (Ethernet), capture size 96 bytes
> 09:12:37.260545 IP 78.107.71.38.46316 > 195.14.50.21.53: 21852+ TXT?
> 170.225.6.117.bl.spamcop.net. (46)
> 09:12:37.812533 IP 78.107.71.38.46317 > 195.14.50.21.53: 52423+ PTR?
> 142.220.10.10.in-addr.arpa. (44)
> 09:12:38.838395 IP 195.14.50.21.53 > 78.107.71.38.42859: 13664 ServFail
> 0/0/0 (46)
> 09:12:38.838420 IP 195.14.50.21.53 > 78.107.71.38.42859: 6698 ServFail 0/0/0
> (46)
> 09:12:39.028347 IP 78.107.71.38.46318 > 195.14.50.21.53: 3221+ PTR?
> 109.220.10.10.in-addr.arpa. (44)
> 09:12:39.492471 IP 78.107.71.38.46319 > 195.14.50.21.53: 1887+ PTR?
> 57.63.8.58.in-addr.arpa. (41)
> 
> # pfctl  -s state|grep 78.107.71.38
> all udp 195.14.50.21:53 -> 78.107.71.38:42859       MULTIPLE:MULTIPLE
> 
> DNS service replying to the blocked host.
> 
> # pfctl  -s rules
> block drop quick in on bge0 inet from <dnsflood> to any
> pass in all flags S/SA keep state
> pass out all flags S/SA keep state

Hmm, it appears that even with the "block" rule in place, and all
previous state table entries flushed, the packet is somehow making it
through.

Does "pfctl -T show -t dnsflood -v" shows any hits for In/Block hits on
the table entry for 78.107.71.38?  (I doubt it, but I want to make
sure).

Only two ideas I have left:

1) Are you *absolutely sure* the packets are arriving on bge0 and not
some other interface?

2) Is pf processing even enabled?  pfctl -s info | head -1

Also, you removed the freebsd-pf mailing list from your response to me.
I don't know why, so I've re-added it.

If none of the above helps, then I'm out of ideas and David or Max will
have to assist in figuring out the root cause.

-- 
| Jeremy Chadwick                                jdc at parodius.com |
| Parodius Networking                       http://www.parodius.com/ |
| UNIX Systems Administrator                  Mountain View, CA, USA |
| Making life hard for others since 1977.              PGP: 4BD6C0CB |

More information about the freebsd-pf mailing list