On 5/1/06, Dmitry Andrianov <[EMAIL PROTECTED]> wrote:
Hello all.
I was under impression that tcpdump on any interface should NOT see
incoming packets which are blocked by pf rules - these packets should
only appear on pflog0 interface (and only if logged explicitly by "block
log"/"pass log" rule).
But right now I see that tcpdump -pni em0 (where em0 is my DMZ
interface) actually sees packets which should not be there (because they
are blocked)! Interesting enough, these packets are also visible with
tcpdump -pni pflog0. Since I do not have a single "pass + log" rule in
my ruleset, only the "block + log" ones, the only explanation I see is
that tcpdump sees packets on em0 before they processed by pf. This
worries me because for other interfaces tcpdump does not see blocked
traffic. I wonder why this happens.
Because of the bpf hooks in each driver. This is the expected behaviour.
Regards,
Dmitry Andrianov
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
--
If it's there, and you can see it, it's real.
If it's not there, and you can see it, it's virtual.
If it's there, and you can't see it, it's transparent.
If it's not there, and you can't see it, you erased it.
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
