Forrest Aldrich wrote:
I've been watching for other instances of this problem. Got one today:
[ EST time ]
61.168.43.84 - - [29/Dec/2005:19:17:59 -0500] "GET
http://umsky.com/prx.php?p=q1w2e3r4t5y6u7i8o9p0*a-b HTTP/1.1" 404 205
Here are the relevant rules (I posted my full pf.conf previously):
table <abuse> persist file "/etc/pf.d/abuse"
rdr on $ext_if inet proto tcp from ! <abuse> to ($ext_if) \
port 80 -> $server port 80
block in quick on $ext_if from <abuse> to any
As far as I can tell, the RDR rule should have prevented him from
getting to port 80... failing that, almost certainly the "block in
quick" should have, but it didn't.
What's even more interesting is:
[EMAIL PROTECTED] grep 61.168.43 /etc/pf.d/abuse
/etc/pf.d/abuse:61.168.43.0/24
(okay, the entry is there and is valid)
[EMAIL PROTECTED] pfctl -t abuse -vvTt
61.168.43.84 0/1 addresses
match.
61.168.43.84 nomatch
Huh??
What does "pfctl -t abuse -Ts | grep 61.168.43" shows?
Cedric
