Ugh. never mind I seem to be coming from a tunnel to delta. Really really sorry.
-peter On 08/01/15 18:39, Peter J. Philipp wrote: > I have a network at home. Host delta has the IP 192.168.180.33 and host > alpha has the IP 192.168.1.127. When I put these pf rules on host delta > I would expect the packet to drop and log to pflog0. > > On delta: > > # pfctl -srules > block return all > pass all flags S/SA > block return in on ! lo0 proto tcp from any to any port 6000:6010 > block drop log on vio0 inet proto tcp from 192.168.0.0/18 to 127.0.0.1 > port = 2222 > block drop log on vio0 inet proto tcp from 192.168.1.0/24 to 127.0.0.1 > port = 2223 > block drop log on vio0 inet proto tcp from 192.168.179.10 to 127.0.0.1 > port = 2224 > block drop log on vio0 inet proto tcp from 192.168.0.0/18 to > 192.168.180.33 port = 2222 > block drop log on vio0 inet proto tcp from 192.168.1.0/24 to > 192.168.180.33 port = 2223 > block drop log on vio0 inet proto tcp from 192.168.179.10 to > 192.168.180.33 port = 2224 > > On alpha: > > alpha$ telnet delta 2222 > Trying 192.168.180.33... > telnet: connect to address 192.168.180.33: Connection refused > alpha$ telnet delta 2223 > Trying 192.168.180.33... > telnet: connect to address 192.168.180.33: Connection refused > alpha$ telnet delta 2224 > Trying 192.168.180.33... > telnet: connect to address 192.168.180.33: Connection refused > > I would have expected a timeout on ports 2222, and 2223 but it didn't > happen and no log but the counter increased on the particular delta rules: > > @6 block drop log on vio0 inet proto tcp from 192.168.0.0/18 to > 192.168.180.33 port = 2222 > [ Evaluations: 3 Packets: 0 Bytes: 0 States: > 0 ] > [ Inserted: uid 0 pid 12241 State Creations: 0 ] > @7 block drop log on vio0 inet proto tcp from 192.168.1.0/24 to > 192.168.180.33 port = 2223 > [ Evaluations: 3 Packets: 0 Bytes: 0 States: > 0 ] > [ Inserted: uid 0 pid 12241 State Creations: 0 ] > @8 block drop log on vio0 inet proto tcp from 192.168.179.10 to > 192.168.180.33 port = 2224 > [ Evaluations: 3 Packets: 0 Bytes: 0 States: > 0 ] > [ Inserted: uid 0 pid 12241 State Creations: 0 ] > > Let's take a look at 192.168.0.0/18, ipcalc says this: > > alpha# ipcalc 192.168.0.0/18 > address : 192.168.0.0 > netmask : 255.255.192.0 (0xffffc000) > network : 192.168.0.0 /18 > broadcast : 192.168.63.255 > host min : 192.168.0.1 > host max : 192.168.63.254 > hosts/net : 16382 > > so alpha is in the 192.168.0.0/18 range, but it's not catching. When I > negate that rule though and it says: > > block drop log on vio0 inet proto tcp from ! 192.168.0.0/18 to > 192.168.180.33 port = 2222 > block drop log on vio0 inet proto tcp from ! 192.168.1.0/24 to > 192.168.180.33 port = 2223 > > I get this on alpha: > > alpha$ telnet delta 2222 > Trying 192.168.180.33... > ^C > alpha$ telnet delta 2223 > Trying 192.168.180.33... > ^C > > I get the wanted timeout, but the logic is wrong. Tested on OpenBSD 5.7 > and OpenBSD 5.8. > > If I'm wrong here please be gentle with the cluebat. > > Cheers, > > -peter
