Why is PF rejecting these connections?
Dave Horsfall
dave at horsfall.org
Sat Nov 18 01:31:58 UTC 2017
I have PF (FreeBSD 10.4) configured to drop suspicious packets e.g. those
claiming to be ACKs for non-existent connections etc, but I'm seeing some
weirdness in the logs. Now, I sort of inherited the configuration and
don't fully understand each directive, but if it works for someone I
trust, well...
Anyway, here are some sample log entries:
23:15:37.755870 IP host90-45-237-212.serverdedicati.aruba.it.34944 > aneurin.kfu.smtp: Flags [S], seq 4161201091, win 14600, options [mss 1460,sackOK,TS[|tcp]>
23:15:40.755278 IP host90-45-237-212.serverdedicati.aruba.it.34944 > aneurin.kfu.smtp: Flags [S], seq 4161201091, win 14600, options [mss 1460,sackOK,TS[|tcp]>
[...]
23:52:02.768939 IP rdns1.mailinfo.ga.43128 > aneurin.kfu.smtp: Flags [S], seq 1022514539, win 14600, options [mss 1460,sackOK,TS[|tcp]>
23:52:18.768869 IP rdns1.mailinfo.ga.43128 > aneurin.kfu.smtp: Flags [S], seq 1022514539, win 14600, options [mss 1460,sackOK,TS[|tcp]>
Etc; the common theme appears to be those options whose purpose I don't
quite grok, but are presumably legal in this context.
The relevant lines from my pf.conf seem to be:
set block-policy drop
set loginterface egress
#set ruleset-optimization basic
scrub in
block all
pass out quick all keep state
antispoof log quick for $ext_if inet
[ Sundry pass/block rules ]
So, why is PF complaining about those packets? The finer points of TCP
options notwithstanding, they seem OK to me... Remember: I inherited most
of the configuration file, so I don't necessarily understand it.
Thanks.
--
Dave Horsfall DTM (VK2KFU) "Those who don't understand security will suffer."
More information about the freebsd-pf
mailing list