On Sun, Feb 22, 2004 at 01:31:51PM -0500, Christopher Kruslicky wrote: > I restricted traceroute to root for now, since it's setuid I wasn't sure which > way it would come through. Anyway, I still see the blocked packets in the > pflog, for example:
Filtering on user/group in pf only works for TCP/UDP sockets that have a PCB (protocol control block) entry in tcbtable or udbtable. Traceroute uses a raw socket to send out the UDP packets with custom TTL, which, unlike a UDP socket normally bound or connected, doesn't get a udbtable PCB entry. That's why pf's lookup doesn't find a matching PCB and hence can't figure out the corresponding uid/gid. The uid/gid is 'unknown' in this case (like when the connection is forwarded), and unknown doesn't match 'user = root', hence the rule doesn't match. If this was just a theoretical test for uid/gid matching, I suggest trying with an ordinary TCP or UDP applicaton. If you really want to match traceroute running locally, you could try matching with 'user = unknown' and preventing non-local traffic from matching that with other rules. Daniel
