Hello List,
I just got a similar event in my pflog.
Jan 16 16:08:02.435283 rule def/(short) pass in on pppoe0: 50.112.59.10.0 >
59.167.212.41.0: SFRWE [bad hdr length]
I don't know what this is, or why it is passed.
Can someone explain or attempt a guess at what this is?
The intention of my pf.conf is to block all incoming
by default on pppoe0.
Am I doing something really stupid here?
/etc/hostname.carp1
inet 172.75.100.1 255.255.255.0 172.25.101.255 balancing ip-stealth carpnodes
1:0,2:100 pass secret1
group dmz
/etc/hostname.carp2
inet 172.25.100.1 255.255.255.0 172.25.100.255 balancing ip-stealth carpnodes
4:0,5:100 pass secret2
group lan
/etc/hostname.em0
up mtu 1508
/etc/hostname.em1
inet 172.75.100.4 255.255.255.0
group dmz
/etc/hostname.em2
inet 172.25.100.4 255.255.255.0
group lan
/etc/hostname.pppoe0
inet 59.167.212.41 255.255.255.255 NONE mtu 1500 \
pppoedev em0 authproto pap \
authname pppoeuser authkey pppoepass up
dest 0.0.0.1
!/sbin/route add default -ifp pppoe0 0.0.0.1
!/sbin/route add -inet6 default -ifp pppoe0 ::1
/etc/pf.conf
#-----------------------------------------------------------------------
# defaults
#-----------------------------------------------------------------------
table <rfc1918> const { 192.168/16 172.16/12 10/8 }
table <dmz> const { dmz:network }
table <lan> const { lan:network }
set loginterface egress
set skip on lo
block in quick on egress from <rfc1918>
antispoof log quick for { pppoe0 em0 }
pass
block quick on egress proto carp
block quick on { egress dmz } inet6
block in log on { egress dmz }
#-----------------------------------------------------------------------
# ack priority
#-----------------------------------------------------------------------
match on egress inet proto tcp prio(1,7)
#-----------------------------------------------------------------------
# sand blasting
#-----------------------------------------------------------------------
match in on egress scrub (reassemble tcp)
#match in on { egress dmz } scrub (reassemble tcp)
#match on egress scrub (max-mss 1440)
#-----------------------------------------------------------------------
# translation and redirections
#-----------------------------------------------------------------------
match out on egress nat-to (egress)
match in on { lan dmz } inet proto tcp to ! bincrow.net \
port www rdr-to localhost port 8080
match in on { lan dmz } inet proto tcp to bincrow.net \
port www rdr-to localhost
match in on { lan dmz } inet to bincrow.net rdr-to localhost
#-----------------------------------------------------------------------
# incoming port forwards
#-----------------------------------------------------------------------
# torrent
pass in on egress inet proto tcp to egress port 6881 rdr-to meile \
modulate state
pass in on egress inet proto udp to egress port 6881 rdr-to meile \
keep state
#-----------------------------------------------------------------------
# allow anyone to this
#-----------------------------------------------------------------------
pass in on egress inet proto tcp from any to egress port www \
modulate state
#-----------------------------------------------------------------------
# dns
#-----------------------------------------------------------------------
table <dns-white> persist file "/etc/pf/dns-white"
pass in on egress inet proto { tcp udp } from \
<dns-white> to egress port domain
pass in on dmz inet proto { tcp udp } from \
<dmz> to dmz port domain
#-----------------------------------------------------------------------
# ntp
#-----------------------------------------------------------------------
pass in on dmz inet proto { tcp udp } from <dmz> \
to dmz port { daytime time ntp }
#-----------------------------------------------------------------------
# ssh - whitelist, and rate limit overflows into blacklist
#-----------------------------------------------------------------------
table <ssh-black> persist file "/etc/pf/ssh-black"
table <ssh-white> persist file "/etc/pf/ssh-white"
pass in log on { egress dmz } inet proto tcp from <ssh-white> to \
port ssh rdr-to localhost
pass in log on { egress dmz } inet proto tcp from !<ssh-black> to \
port ssh rdr-to localhost keep state \
(max-src-conn-rate 1/30, overload <ssh-black> flush)
#-----------------------------------------------------------------------
# imaps - whitelist, and rate limit overflows into blacklist
#-----------------------------------------------------------------------
table <imaps-black> persist file "/etc/pf/imaps-black"
table <imaps-white> persist file "/etc/pf/imaps-white"
pass in log on { egress dmz } inet proto tcp from <imaps-white> to \
port imaps rdr-to localhost
pass in log on { egress dmz } inet proto tcp from !<imaps-black> to \
port imaps rdr-to localhost keep state \
(max-src-conn-rate 2/1, overload <imaps-black> flush)
#-----------------------------------------------------------------------
# squid - whitelist
#-----------------------------------------------------------------------
table <squid-white> persist file "/etc/pf/squid-white"
pass in on egress inet proto tcp from <squid-white> to egress port 8080
#-----------------------------------------------------------------------
# allow these to everything
#-----------------------------------------------------------------------
table <authpf_users> persist
table <all-egress> persist file "/etc/pf/all-egress"
pass in on egress from { <authpf_users> <all-egress> } to egress
table <all-dmz> persist file "/etc/pf/all-dmz"
pass in on dmz from { <authpf_users> <all-dmz> } to any
#-----------------------------------------------------------------------
# smtp - spamd gatekeeps sendmail
#-----------------------------------------------------------------------
table <nospamd> persist file "/etc/mail/nospamd"
table <spamd-white> persist
pass in on egress proto tcp from any to egress port smtp \
rdr-to localhost port spamd
pass in log on egress proto tcp from { <nospamd> <spamd-white> } \
to egress port smtp modulate state
pass out log on egress proto tcp to any port smtp modulate state
#-----------------------------------------------------------------------
# smtp - direct to sendmail
#-----------------------------------------------------------------------
#pass in log on egress proto tcp from any \
# to egress port smtp modulate state
#pass out log on egress proto tcp to any port smtp modulate state
On Mon, Nov 19, 2012 at 01:47:09PM +0100, Henning Brauer wrote:
> * Kapetanakis Giannis <bil...@edu.physics.uoc.gr> [2012-11-01 13:57]:
> > Nov 01 12:51:10.857175 rule def/(short) pass in on vlanxxx:
> > 74.206.235.92.0 > xx.xx.xx.xx.0: FPE [bad hdr length] (DF)
> > Nov 01 12:51:12.724286 rule def/(short) pass in on vlanxxx:
> > 74.206.235.92.0 > xx.xx.xx.xx.0: FPE 1137099714:1137099726(12) ack 0
> > win 6667 urg 0 (DF)
> > Nov 01 12:51:14.027193 rule def/(short) pass in on vlanxxx:
> > 74.206.235.92.0 > xx.xx.xx.xx.0: SFR [bad hdr length] (DF)
> > Nov 01 12:51:15.692047 rule def/(short) pass in on vlanxxx:
> > 74.206.235.92.0 > xx.xx.xx.xx.0: RPWE [bad hdr length] (DF)
> > Nov 01 12:51:16.121181 rule def/(short) pass in on vlanxxx:
> > 74.206.235.92.0 > xx.xx.xx.xx.0: SFPW [bad hdr length] (DF)
> > Nov 01 12:51:17.962807 rule def/(short) pass in on vlanxxx:
> > 74.206.235.92.0 > xx.xx.xx.xx.0: SE [bad hdr length] (DF)
> > Nov 01 12:51:21.934774 rule def/(short) pass in on vlanxxx:
> > 74.206.235.92.0 > xx.xx.xx.xx.0: SFW [bad hdr length] (DF)
> > Nov 01 12:51:26.985783 rule def/(short) pass in on vlanxxx:
> > 74.206.235.92.0 > xx.xx.xx.xx.0: SRPWE 1137099714:1137099730(16) win
>
> > apparently something is blocked, but also something is passed since
> > I still get these mesages
> > on my pflog.
>
> need to resort to guesswork since your report lacks so much, but it
> looks like you are simply misdiagnosing. and I admit it isn't super
> obvious. seeing the "bad hdr length", pf will block these. the rule
> referred to then is the default rule. but we didn't get as far as rule
> matching, so that is misleading you.
>
> as said, this is entirely guessed.
>
> --
> Henning Brauer, h...@bsws.de, henn...@openbsd.org
> BS Web Services, http://bsws.de, Full-Service ISP
> Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully
> Managed
> Henning Brauer Consulting, http://henningbrauer.com/
