Good catch that was exactly it.
Thank you, Andrew Eaton -----Original Message----- From: Daniel Hartmeier [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 18, 2003 2:45 AM To: Eaton, Andy Cc: [EMAIL PROTECTED] Subject: Re: authpf problem on a bridge On Mon, Nov 17, 2003 at 11:02:45PM -0600, Andrew Eaton wrote: > anchor authpf > > block drop in log quick from any to <blocks> > block drop in log quick from <blocks> to any > > pfctl -a authpf -s rules shows:(user logged in) > pass in log quick inet proto tcp from 172.16.8.71 to any keep state > pass in log quick inet proto udp from 172.16.8.71 to any keep state > > That 172 address is my address. Yet none of the traffic seems to > hit anchor. All that traffic hits the second block statement used for > testing according to tcpdump. One explanation would be that the traffic is not plain IPv4 TCP or UDP, but something encapsulated. If so, it wouldn't match the user's rule in the anchor (which specifies 'inet proto tcp/udp') but match the subsequent block rule (which doesn't restrict protocol to tcp/udp). Run tcpdump -s 256 -nvvvXi and quote one of the blocked packets, including the hexdump of the packet. It's sometimes hard to spot encapsulation in tcpdump output, as it automatically prints the inner header. The hexdump will show the complete packet, with the outermost header, relevant for pf. Daniel
