PF problem withpackets falling in block...

Bartosz Woronicz bartosz.woronicz at korbank.pl
Wed Jun 1 12:18:08 UTC 2011 

I want to just block few classes that must be blocked. It seems like 
it's partly working , but not all packets are accessible. And moreover I 
cannot connect from outside.
What is wrong? My FreeBSD is 7.3-Stable
my wan interface is vlan300 and vlan352 is for an user.
The rule for blocking is:
rule 28/0   block in log on vlan352 from 79.110.199.192/27 to <mynet>
rule 29/0   block in log on vlan352 from 79.110.199.192/27 to !<mynet>

I was trying also with: block in log on vlan352 from 79.110.199.192/27 
to any
instead of these 2 above
<mynet> contains adresses of my network: 79.110.192.0/20

Passing rules are:
pass quick from 79.110.199.199 to <mynet> keep state
pass in  quick on vlan352 from 79.110.199.199 to !<mynet> tag 
FROM79_110_199_199 queue 79_110_199_199D
pass out quick on vlan300 tagged FROM79_110_199_199 queue 79_110_199_199U
pass in  quick  on vlan300 from !<mynet> to 79.110.199.199 tag 
TO79_110_199_199 queue 79_110_199_199U
pass out quick on vlan352 tagged TO79_110_199_199 queue 79_110_199_199D


But still some packets are dropped

tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: listening on pflog0, link-type PFLOG (OpenBSD pflog file), 
capture size 96 bytes
rule 29/0(match): block in on vlan352: (tos 0x0, ttl 64, id 54312, 
offset 0, flags [DF], proto TCP (6), length 1500) 79.110.199.199.55073 > 
87.239.219.82.59291:  tcp 1480 [bad hdr length 0 - too short, < 20]
rule 29/0(match): block in on vlan352: (tos 0x0, ttl 64, id 56948, 
offset 0, flags [DF], proto TCP (6), length 1442) 79.110.199.199.55073 > 
80.229.149.80.55511:  tcp 1422 [bad hdr length 0 - too short, < 20]
rule 29/0(match): block in on vlan352: (tos 0x0, ttl 64, id 8242, offset 
0, flags [DF], proto TCP (6), length 40) 79.110.199.199.55073 > 
85.222.56.47.56705: [|tcp]
rule 29/0(match): block in on vlan352: (tos 0x0, ttl 64, id 8243, offset 
0, flags [DF], proto TCP (6), length 52) 79.110.199.199.55073 > 
85.222.56.47.56705: [|tcp]
rule 29/0(match): block in on vlan352: (tos 0x0, ttl 64, id 8244, offset 
0, flags [DF], proto TCP (6), length 52) 79.110.199.199.55073 > 
85.222.56.47.56705:  tcp 32 [bad hdr length 0 - too short, < 20]
rule 29/0(match): block in on vlan352: (tos 0x0, ttl 64, id 8245, offset 
0, flags [DF], proto TCP (6), length 52) 79.110.199.199.55073 > 
85.222.56.47.56705: [|tcp]
rule 29/0(match): block in on vlan352: (tos 0x0, ttl 64, id 8246, offset 
0, flags [DF], proto TCP (6), length 40) 79.110.199.199.55073 > 
85.222.56.47.56705: [|tcp]
rule 28/0(match): block in on vlan352: (tos 0x10, ttl 64, id 0, offset 
0, flags [DF], proto TCP (6), length 52) 79.110.199.199.55022 > 
79.110.194.135.43126: [|tcp]
rule 29/0(match): block in on vlan352: (tos 0x0, ttl 64, id 8247, offset 
0, flags [DF], proto TCP (6), length 52) 79.110.199.199.55073 > 
85.222.56.47.56705:  tcp 32 [bad hdr length 0 - too short, < 20]
rule 29/0(match): block in on vlan352: (tos 0x0, ttl 64, id 54313, 
offset 0, flags [DF], proto TCP (6), length 40) 79.110.199.199.55073 > 
87.239.219.82.59291: [|tcp]
rule 28/0(match): block in on vlan352: (tos 0x10, ttl 64, id 0, offset 
0, flags [DF], proto TCP (6), length 52) 79.110.199.199.55022 > 
79.110.194.135.43126: [|tcp]
rule 29/0(match): block in on vlan352: (tos 0x0, ttl 64, id 54314, 
offset 0, flags [DF], proto TCP (6), length 52) 79.110.199.199.55073 > 
87.239.219.82.59291: [|tcp]
rule 29/0(match): block in on vlan352: (tos 0x0, ttl 64, id 8248, offset 
0, flags [DF], proto TCP (6), length 52) 79.110.199.199.55073 > 
85.222.56.47.56705:  tcp 32 [bad hdr length 0 - too short, < 20]
rule 28/0(match): block in on vlan352: (tos 0x10, ttl 64, id 0, offset 
0, flags [DF], proto TCP (6), length 52) 79.110.199.199.55022 > 
79.110.194.135.43126: [|tcp]
rule 29/0(match): block in on vlan352: (tos 0x0, ttl 64, id 54315, 
offset 0, flags [DF], proto TCP (6), length 52) 79.110.199.199.55073 > 
87.239.219.82.59291: [|tcp]

-- 
Pozdrawiam,
Bartosz Woronicz, System Adminstrator,
mynet S.A.
ul. Nabycińska 19
53-677 Wrocław
NIP: 894-26-41-602
tel. 071-723-43-23
fax. 071-723-43-29

More information about the freebsd-stable mailing list