Hi, Quoting [EMAIL PROTECTED]:
> Why if I'm blocking a type of connection do I see the block traffic > hitting an interface which should be blocked. > > # tcpdump -i pflog0 -n -e -ttt > > Sep 09 07:21:43.839968 rule 288/0(match): block in on xl0: > 139.142.113.124.4252 > XXX.XXX.XXX.XXX.135: S 1869485513:1869485513(0) > win 8760 <mss 1460,nop,nop,sackOK> (DF) > > # tcpdump -i xl0 dst XXX.XXX.XXX.XXX > > 07:21:50.453699 139.142.113.124.4252 > hXXX-XXX-XXX-XXX.isp.net.epmap: > S 1869485513:1869485513(0) win 8760 <mss 1460,nop,nop,sackOK> (DF) Because it's the normal behavior of an OS with packet filter : - an incoming IP packet hit the interface - the IP stack pass the packet to packet filter for analysis In your case, the IP packet (TCP SYN of Blaster worm, probably) hit your external interface (trace of 'tcpdump') then PF with your rules, block this packet. A++ Foxy -- Laurent Cheylus <[EMAIL PROTECTED]> OpenPGP ID 0x5B766EC2
