Re: PF blocking outbound packets that don't have S/SA flags

Fri, 21 Nov 2008 01:59:03 -0800 

On 01:10:03 Nov 21, Joe S wrote:
> OS: OpenBSD 4.4 RELEASE i386
> 
> PF is blocking traffic that I want it to pass. I notice this when I
> run nmap 4.76 (compiled from source). It appears that my packets are
> being dropped because they don't match the "pass out quick" rule in my
> pf.conf. I noticed this rule is modified due to the default setting to
> match on flags S/SA. How do I create a rule to ignore the flags S/SA
> so that my scans can complete?
> 
> # nmap -sS -T5 -sV -p- 2.2.2.2
> Starting Nmap 4.76 ( http://nmap.org ) at 2008-11-20 22:47 PST
> sendto in send_ip_packet: sendto(4, packet, 40, 0, 2.2.2.2, 16) => No
> route to host
> Offending packet: TCP 1.1.1.1:37016 > 2.2.2.2:80 A ttl=45 id=13618
> iplen=40  seq=3279582132 win=2048 ack=3457570278
> Sleeping 15 seconds then retrying
> sendto in send_ip_packet: sendto(4, packet, 40, 0, 2.2.2.2, 16) => No
> route to host
> Offending packet: TCP 1.1.1.1:37016 > 2.2.2.2:80 A ttl=45 id=13618
> iplen=40  seq=3279582132 win=2048 ack=3457570278
> Sleeping 60 seconds then retrying
> 
> (truncated for brevity)
> 
> 
> PF logs show that the packets are dropped due to rule 0 match:
> 
> # tcpdump -n -e -ttt -s 1514 -r /var/log/pflog host 2.2.2.2
> Nov 20 22:42:37.938337 rule 0/(match) block out on fxp0: 1.1.1.1.46363
> > 2.2.2.2.80: . ack 834370022 win 2048
> Nov 20 22:42:52.940776 rule 0/(match) block out on fxp0: 1.1.1.1.46363
> > 2.2.2.2.80: . ack 1 win 2048
> Nov 20 22:45:02.202499 rule 0/(match) block out on fxp0: 1.1.1.1.42175
> > 2.2.2.2.80: . ack 2174811336 win 1024
> Nov 20 22:45:17.206752 rule 0/(match) block out on fxp0: 1.1.1.1.42175
> > 2.2.2.2.80: . ack 1 win 1024
> Nov 20 22:46:17.194321 rule 0/(match) block out on fxp0: 1.1.1.1.42175
> > 2.2.2.2.80: . ack 1 win 1024
> Nov 20 22:47:12.874250 rule 0/(match) block out on fxp0: 1.1.1.1.37016
> > 2.2.2.2.80: . ack 3457570278 win 2048
> Nov 20 22:47:27.877828 rule 0/(match) block out on fxp0: 1.1.1.1.37016
> > 2.2.2.2.80: . ack 1 win 2048
> Nov 20 22:48:27.865343 rule 0/(match) block out on fxp0: 1.1.1.1.37016
> > 2.2.2.2.80: . ack 1 win 2048
> 
> (truncated for brevity)
> 
> 
> Here are my PF rules
> 
> # pfctl -s rules
> block return log all
> block return in quick inet6 all
> pass quick proto icmp all keep state allow-opts
> pass out quick all flags S/SA keep state allow-opts
> pass in log on fxp0 proto tcp from any to (fxp0) port = ssh flags S/SA
> keep state
> pass in on fxp0 proto tcp from any to (fxp0) port = www flags S/SA keep state
> pass quick on vlan0 all flags S/SA keep state allow-opts
> pass quick on vlan1 all flags S/SA keep state allow-opts
> 
> 
> Here is my pf.conf
> 
> # cat /etc/pf.conf
> 
> # SETTINGS
> set block-policy return
> set loginterface fxp0
> set skip on lo
> scrub in
> 

What happens when you remove the above scrub line?

Have you tested?

-Girish

Reply via email to