Hello List, I just got a similar event in my pflog.
Jan 16 16:08:02.435283 rule def/(short) pass in on pppoe0: 50.112.59.10.0 > 59.167.212.41.0: SFRWE [bad hdr length] I don't know what this is, or why it is passed. Can someone explain or attempt a guess at what this is? The intention of my pf.conf is to block all incoming by default on pppoe0. Am I doing something really stupid here? /etc/hostname.carp1 inet 172.75.100.1 255.255.255.0 172.25.101.255 balancing ip-stealth carpnodes 1:0,2:100 pass secret1 group dmz /etc/hostname.carp2 inet 172.25.100.1 255.255.255.0 172.25.100.255 balancing ip-stealth carpnodes 4:0,5:100 pass secret2 group lan /etc/hostname.em0 up mtu 1508 /etc/hostname.em1 inet 172.75.100.4 255.255.255.0 group dmz /etc/hostname.em2 inet 172.25.100.4 255.255.255.0 group lan /etc/hostname.pppoe0 inet 59.167.212.41 255.255.255.255 NONE mtu 1500 \ pppoedev em0 authproto pap \ authname pppoeuser authkey pppoepass up dest 0.0.0.1 !/sbin/route add default -ifp pppoe0 0.0.0.1 !/sbin/route add -inet6 default -ifp pppoe0 ::1 /etc/pf.conf #----------------------------------------------------------------------- # defaults #----------------------------------------------------------------------- table <rfc1918> const { 192.168/16 172.16/12 10/8 } table <dmz> const { dmz:network } table <lan> const { lan:network } set loginterface egress set skip on lo block in quick on egress from <rfc1918> antispoof log quick for { pppoe0 em0 } pass block quick on egress proto carp block quick on { egress dmz } inet6 block in log on { egress dmz } #----------------------------------------------------------------------- # ack priority #----------------------------------------------------------------------- match on egress inet proto tcp prio(1,7) #----------------------------------------------------------------------- # sand blasting #----------------------------------------------------------------------- match in on egress scrub (reassemble tcp) #match in on { egress dmz } scrub (reassemble tcp) #match on egress scrub (max-mss 1440) #----------------------------------------------------------------------- # translation and redirections #----------------------------------------------------------------------- match out on egress nat-to (egress) match in on { lan dmz } inet proto tcp to ! bincrow.net \ port www rdr-to localhost port 8080 match in on { lan dmz } inet proto tcp to bincrow.net \ port www rdr-to localhost match in on { lan dmz } inet to bincrow.net rdr-to localhost #----------------------------------------------------------------------- # incoming port forwards #----------------------------------------------------------------------- # torrent pass in on egress inet proto tcp to egress port 6881 rdr-to meile \ modulate state pass in on egress inet proto udp to egress port 6881 rdr-to meile \ keep state #----------------------------------------------------------------------- # allow anyone to this #----------------------------------------------------------------------- pass in on egress inet proto tcp from any to egress port www \ modulate state #----------------------------------------------------------------------- # dns #----------------------------------------------------------------------- table <dns-white> persist file "/etc/pf/dns-white" pass in on egress inet proto { tcp udp } from \ <dns-white> to egress port domain pass in on dmz inet proto { tcp udp } from \ <dmz> to dmz port domain #----------------------------------------------------------------------- # ntp #----------------------------------------------------------------------- pass in on dmz inet proto { tcp udp } from <dmz> \ to dmz port { daytime time ntp } #----------------------------------------------------------------------- # ssh - whitelist, and rate limit overflows into blacklist #----------------------------------------------------------------------- table <ssh-black> persist file "/etc/pf/ssh-black" table <ssh-white> persist file "/etc/pf/ssh-white" pass in log on { egress dmz } inet proto tcp from <ssh-white> to \ port ssh rdr-to localhost pass in log on { egress dmz } inet proto tcp from !<ssh-black> to \ port ssh rdr-to localhost keep state \ (max-src-conn-rate 1/30, overload <ssh-black> flush) #----------------------------------------------------------------------- # imaps - whitelist, and rate limit overflows into blacklist #----------------------------------------------------------------------- table <imaps-black> persist file "/etc/pf/imaps-black" table <imaps-white> persist file "/etc/pf/imaps-white" pass in log on { egress dmz } inet proto tcp from <imaps-white> to \ port imaps rdr-to localhost pass in log on { egress dmz } inet proto tcp from !<imaps-black> to \ port imaps rdr-to localhost keep state \ (max-src-conn-rate 2/1, overload <imaps-black> flush) #----------------------------------------------------------------------- # squid - whitelist #----------------------------------------------------------------------- table <squid-white> persist file "/etc/pf/squid-white" pass in on egress inet proto tcp from <squid-white> to egress port 8080 #----------------------------------------------------------------------- # allow these to everything #----------------------------------------------------------------------- table <authpf_users> persist table <all-egress> persist file "/etc/pf/all-egress" pass in on egress from { <authpf_users> <all-egress> } to egress table <all-dmz> persist file "/etc/pf/all-dmz" pass in on dmz from { <authpf_users> <all-dmz> } to any #----------------------------------------------------------------------- # smtp - spamd gatekeeps sendmail #----------------------------------------------------------------------- table <nospamd> persist file "/etc/mail/nospamd" table <spamd-white> persist pass in on egress proto tcp from any to egress port smtp \ rdr-to localhost port spamd pass in log on egress proto tcp from { <nospamd> <spamd-white> } \ to egress port smtp modulate state pass out log on egress proto tcp to any port smtp modulate state #----------------------------------------------------------------------- # smtp - direct to sendmail #----------------------------------------------------------------------- #pass in log on egress proto tcp from any \ # to egress port smtp modulate state #pass out log on egress proto tcp to any port smtp modulate state On Mon, Nov 19, 2012 at 01:47:09PM +0100, Henning Brauer wrote: > * Kapetanakis Giannis <bil...@edu.physics.uoc.gr> [2012-11-01 13:57]: > > Nov 01 12:51:10.857175 rule def/(short) pass in on vlanxxx: > > 74.206.235.92.0 > xx.xx.xx.xx.0: FPE [bad hdr length] (DF) > > Nov 01 12:51:12.724286 rule def/(short) pass in on vlanxxx: > > 74.206.235.92.0 > xx.xx.xx.xx.0: FPE 1137099714:1137099726(12) ack 0 > > win 6667 urg 0 (DF) > > Nov 01 12:51:14.027193 rule def/(short) pass in on vlanxxx: > > 74.206.235.92.0 > xx.xx.xx.xx.0: SFR [bad hdr length] (DF) > > Nov 01 12:51:15.692047 rule def/(short) pass in on vlanxxx: > > 74.206.235.92.0 > xx.xx.xx.xx.0: RPWE [bad hdr length] (DF) > > Nov 01 12:51:16.121181 rule def/(short) pass in on vlanxxx: > > 74.206.235.92.0 > xx.xx.xx.xx.0: SFPW [bad hdr length] (DF) > > Nov 01 12:51:17.962807 rule def/(short) pass in on vlanxxx: > > 74.206.235.92.0 > xx.xx.xx.xx.0: SE [bad hdr length] (DF) > > Nov 01 12:51:21.934774 rule def/(short) pass in on vlanxxx: > > 74.206.235.92.0 > xx.xx.xx.xx.0: SFW [bad hdr length] (DF) > > Nov 01 12:51:26.985783 rule def/(short) pass in on vlanxxx: > > 74.206.235.92.0 > xx.xx.xx.xx.0: SRPWE 1137099714:1137099730(16) win > > > apparently something is blocked, but also something is passed since > > I still get these mesages > > on my pflog. > > need to resort to guesswork since your report lacks so much, but it > looks like you are simply misdiagnosing. and I admit it isn't super > obvious. seeing the "bad hdr length", pf will block these. the rule > referred to then is the default rule. but we didn't get as far as rule > matching, so that is misleading you. > > as said, this is entirely guessed. > > -- > Henning Brauer, h...@bsws.de, henn...@openbsd.org > BS Web Services, http://bsws.de, Full-Service ISP > Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully > Managed > Henning Brauer Consulting, http://henningbrauer.com/