Problem with log for loopback address

[Laurent Cheylus]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I have a problem with PF logs on OpenBSD 3.4-stable version.

I received a lot of packets from loopback addresse 127.0.0.1 port 80 :
- - TCP RST packets sent by clients infected by Blaster Worm and use of my 
personnal aaddress for IP source spoofing !!!
- - bad configuration from my ISP who routes those packets on Internet, 
contrary to RFC 1918

TCPdump capture :

tcpdump -vnttt -i rl0 host 127.0.0.1
tcpdump: listening on rl0
Jan 09 12:38:42.852200 127.0.0.1.80 > 82.67.44.32.1100: R [tcp sum ok] 
0:0(0) ack 1155203073 win 0 (ttl 124, id 42636)

rl0 is my external interface connected to my ISP with ADSL [Free in France 
with 5.5 Mbps DL line :-)) ].

But I have a problem with PF log for those packets. Indeed, at the same 
time, my PF logs are :

Jan 09 12:17:27.521217 rule 4/0(match): block in on rl0: 82.67.74.157.1025 
> 82.67.44.32.1878: R [tcp sum ok] 0:0(0) ack 1478361089 win 0 (ttl 124, 
id 26924)
Jan 09 12:39:46.932487 rule 5/0(match): block in on rl0: 
61.241.249.22.1034 > 82.67.44.32.1434:  udp 376 (ttl 109, id 12278)
Jan 09 12:58:00.343333 rule 4/0(match): block in on rl0: 82.67.74.157.1025 
> 82.67.44.32.1018: R [tcp sum ok] 0:0(0) ack 159318017 win 0 (ttl 124, id 
26501)

No log for loopback address 127.0.0.1 but my PF rules are :

> sudo pfctl -sr
scrub in all fragment reassemble
block drop out log all
block return-rst out log proto tcp all
block return-icmp(port-unr, port-unr) out log proto udp all
block drop in log all
block return-rst in log proto tcp all
block return-icmp(port-unr, port-unr) in log proto udp all
block drop in log quick on rl0 inet from 127.0.0.0/8 to any
block drop in log quick on rl0 inet from 192.168.0.0/16 to any
block drop in log quick on rl0 inet from 172.16.0.0/12 to any
block drop in log quick on rl0 inet from 10.0.0.0/8 to any
block drop out log quick on rl0 inet from any to 127.0.0.0/8
block drop out log quick on rl0 inet from any to 192.168.0.0/16
block drop out log quick on rl0 inet from any to 172.16.0.0/12
block drop out log quick on rl0 inet from any to 10.0.0.0/8
block drop in log on ! lo0 inet from 127.0.0.0/8 to any
block drop in log on ! lo0 inet6 from ::1 to any
pass in quick on lo0 all
pass out quick on lo0 all
pass in quick on rl1 all
pass out quick on rl1 all (...)

I have 2 rules for logging packets blocked on rl0 (antispoofing on lo0 and 
reject private nets according to RFC 1918) but no packets logged with 
those rules !!!

Some bug on PF or an error in my configuration that I don't understand 
:-(

Thx, Foxy. 

- -- 
Laurent Cheylus <[EMAIL PROTECTED]> OpenPGP ID 0x5B766EC2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE//pOEHFEfP1t2bsIRAh8+AJ0XQt1yT5PooxMe7dCIddpHDp+KUgCfVoIn
E/nMW4MDy9TnG9q5Hpv3YVY=
=82Ic
-----END PGP SIGNATURE-----