On Fri, May 24, 2024 at 06:04:25PM +0200, Peter N. M. Hansteen wrote: > On Thu, May 23, 2024 at 11:14:20AM +0200, Why 42? The lists account. wrote: > > pfctl reports: > > # pfctl -vvs rules | grep @ > > @0 block return log all > > @1 pass in log on em0 inet proto udp from 192.168.178.166 to any tag UDP > > @2 pass out log on ure0 all flags S/SA tagged UDP
Why setting "flags S/SA" on a rule meant for UDP packets? > > > > I see that rule 1 is matched, but never rule 2. E.g. > > ... > > May 23 10:32:06.602759 rule 0/(match) block in on em0: 192.168.178.179.5353 > > > 224.0.0.251.5353: 46[|domain] (DF) > > May 23 10:32:06.603963 rule 0/(match) block in on em0: > > fe80::4434:8bff:fecd:b116.5353 > ff02::fb.5353: 46[|domain] [flowlabel > > 0xbaff9] > > May 23 10:32:09.700212 rule 0/(match) block in on em0: 192.168.178.254 > > > 224.0.0.1: igmp query [len 12] (DF) [tos 0xc0] [ttl 1] > > May 23 10:32:13.267374 rule 1/(match) pass in on em0: 192.168.178.166.56334 > > > 192.168.178.11.54321: udp 7 > > So this last one never leaves, right? > > what does the gateway's routing table say about how to reach the destination > network? > > also relevant, what is the configuration of the interfaces involved? > > I'm thinking this could be down to using RFC1918 addresses and not being > extra careful > about netmasks and routes, but we need more info on the actual configuration > to be sure. > > - Peter > > -- > Peter N. M. Hansteen, member of the first RFC 1149 implementation team > https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ > "Remember to set the evil bit on all malicious network traffic" > delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. > --