I have a network at home. Host delta has the IP 192.168.180.33 and host alpha has the IP 192.168.1.127. When I put these pf rules on host delta I would expect the packet to drop and log to pflog0.
On delta: # pfctl -srules block return all pass all flags S/SA block return in on ! lo0 proto tcp from any to any port 6000:6010 block drop log on vio0 inet proto tcp from 192.168.0.0/18 to 127.0.0.1 port = 2222 block drop log on vio0 inet proto tcp from 192.168.1.0/24 to 127.0.0.1 port = 2223 block drop log on vio0 inet proto tcp from 192.168.179.10 to 127.0.0.1 port = 2224 block drop log on vio0 inet proto tcp from 192.168.0.0/18 to 192.168.180.33 port = 2222 block drop log on vio0 inet proto tcp from 192.168.1.0/24 to 192.168.180.33 port = 2223 block drop log on vio0 inet proto tcp from 192.168.179.10 to 192.168.180.33 port = 2224 On alpha: alpha$ telnet delta 2222 Trying 192.168.180.33... telnet: connect to address 192.168.180.33: Connection refused alpha$ telnet delta 2223 Trying 192.168.180.33... telnet: connect to address 192.168.180.33: Connection refused alpha$ telnet delta 2224 Trying 192.168.180.33... telnet: connect to address 192.168.180.33: Connection refused I would have expected a timeout on ports 2222, and 2223 but it didn't happen and no log but the counter increased on the particular delta rules: @6 block drop log on vio0 inet proto tcp from 192.168.0.0/18 to 192.168.180.33 port = 2222 [ Evaluations: 3 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 12241 State Creations: 0 ] @7 block drop log on vio0 inet proto tcp from 192.168.1.0/24 to 192.168.180.33 port = 2223 [ Evaluations: 3 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 12241 State Creations: 0 ] @8 block drop log on vio0 inet proto tcp from 192.168.179.10 to 192.168.180.33 port = 2224 [ Evaluations: 3 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 12241 State Creations: 0 ] Let's take a look at 192.168.0.0/18, ipcalc says this: alpha# ipcalc 192.168.0.0/18 address : 192.168.0.0 netmask : 255.255.192.0 (0xffffc000) network : 192.168.0.0 /18 broadcast : 192.168.63.255 host min : 192.168.0.1 host max : 192.168.63.254 hosts/net : 16382 so alpha is in the 192.168.0.0/18 range, but it's not catching. When I negate that rule though and it says: block drop log on vio0 inet proto tcp from ! 192.168.0.0/18 to 192.168.180.33 port = 2222 block drop log on vio0 inet proto tcp from ! 192.168.1.0/24 to 192.168.180.33 port = 2223 I get this on alpha: alpha$ telnet delta 2222 Trying 192.168.180.33... ^C alpha$ telnet delta 2223 Trying 192.168.180.33... ^C I get the wanted timeout, but the logic is wrong. Tested on OpenBSD 5.7 and OpenBSD 5.8. If I'm wrong here please be gentle with the cluebat. Cheers, -peter
