Why is PF rejecting these connections?
Kristof Provost
kristof at sigsegv.be
Sat Nov 18 10:13:34 UTC 2017
On 18 Nov 2017, at 2:20, Dave Horsfall wrote:
> I have PF (FreeBSD 10.4) configured to drop suspicious packets e.g.
> those claiming to be ACKs for non-existent connections etc, but I'm
> seeing some weirdness in the logs. Now, I sort of inherited the
> configuration and don't fully understand each directive, but if it
> works for someone I trust, well...
>
> Anyway, here are some sample log entries:
>
> 23:15:37.755870 IP host90-45-237-212.serverdedicati.aruba.it.34944
> > aneurin.kfu.smtp: Flags [S], seq 4161201091, win 14600, options [mss
> 1460,sackOK,TS[|tcp]>
> 23:15:40.755278 IP host90-45-237-212.serverdedicati.aruba.it.34944
> > aneurin.kfu.smtp: Flags [S], seq 4161201091, win 14600, options [mss
> 1460,sackOK,TS[|tcp]>
> [...]
> 23:52:02.768939 IP rdns1.mailinfo.ga.43128 > aneurin.kfu.smtp:
> Flags [S], seq 1022514539, win 14600, options [mss
> 1460,sackOK,TS[|tcp]>
> 23:52:18.768869 IP rdns1.mailinfo.ga.43128 > aneurin.kfu.smtp:
> Flags [S], seq 1022514539, win 14600, options [mss
> 1460,sackOK,TS[|tcp]>
>
Can you post a full pcap capture? It’s very hard to figure things out
from a text summary of a packet.
Where and how were these logged? How do you know they’re being
dropped?
> Etc; the common theme appears to be those options whose purpose I
> don't quite grok, but are presumably legal in this context.
>
> The relevant lines from my pf.conf seem to be:
>
> set block-policy drop
> set loginterface egress
> #set ruleset-optimization basic
> scrub in
> block all
> pass out quick all keep state
> antispoof log quick for $ext_if inet
> [ Sundry pass/block rules ]
>
Are these incoming or outgoing packets? I really can’t tell what’s
going on from your report.
Regards,
Kristof
More information about the freebsd-pf
mailing list