Unexpected pf behavior
Brandon Vincent
Brandon.Vincent at asu.edu
Sat May 10 22:21:51 UTC 2014
Doug,
As long as you are on the same LAN/broadcast domain, it would be pretty
easy to use a program like Nmap with the "-S, --source-ip" parameter to
spoof the source IP.
Would you mind sharing the rule that caused this problem?
Brandon Vincent
On Sat, May 10, 2014 at 2:34 PM, Doug Hardie <bc979 at lafn.org> wrote:
> I have a pf rule (FreeBSD 9.2) that uses a table to block access from
> specific networks. This morning I found the following situation:
>
> 12 attempts from an address in one of the blocked network to access the
> server. All were blocked and marked as such with the proper rule number in
> pflog.
>
> 10 succeeding connections that were passed through to the port. These
> were logged by the process listening on that port.
>
> There were no changes to the rules, reboots, etc. during that time. This
> all transpired in about 10 minutes. A dump of the table shows the proper
> address range. I am not logging the pass throughs so only the original 12
> blocks are in the logs. I have never seen anything like this in the past.
> Is there some way I can test a specific IP address and have pf tell me
> what it would do if it received a packet from that address?
>
>
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>
More information about the freebsd-pf
mailing list