On Thursday 26 February 2004 11:58 am, Daniel Hartmeier wrote: > On Sun, Feb 22, 2004 at 01:31:51PM -0500, Christopher Kruslicky wrote: > > I restricted traceroute to root for now, since it's setuid I wasn't sure > > which way it would come through. Anyway, I still see the blocked packets > > in the pflog, for example: > > Filtering on user/group in pf only works for TCP/UDP sockets that have a > PCB (protocol control block) entry in tcbtable or udbtable. > > Traceroute uses a raw socket to send out the UDP packets with custom > TTL, which, unlike a UDP socket normally bound or connected, doesn't get > a udbtable PCB entry. That's why pf's lookup doesn't find a matching PCB > and hence can't figure out the corresponding uid/gid. The uid/gid is > 'unknown' in this case (like when the connection is forwarded), and > unknown doesn't match 'user = root', hence the rule doesn't match.
Ahh, ok. Thanks for the clarification. I'll probably use 'user unknown' then, along with rules for ssh, telnet, and others which, of course, worked fine when I tested those later.
