Hi misc,
I have been playing around with pf lately, and have noticed a bunch of
packets going from 0.0.0.0.0 to 0.0.0.0.0. I know 0.0.0.0 sometimes
means the network address, but am not sure why these packets are getting
through the firewall, or even if they are.
Also, when tcpdump says (for example) rule 8 does that mean the 8th
line in the output of pfctl -sr?
I cannot find an explanation on website or man pages.
Cheers,
Brett.
PS Happy birthday, Theo, I will buy a tshirt and a cd set (once I've got
a new job!)
-
Output from tcpdump:
tcpdump -n -e -ttt -i pflog0
May 21 23:47:37.376825 rule 8/(match) pass out on athn0: 0.0.0.0.0
0.0.0.0.0: . ack 743779200 win 1927 nop,nop,timestamp 514120164 0 (DF)
May 21 23:47:37.540667 rule 8/(match) pass in on athn0: 0.0.0.0.0
0.0.0.0.0: . 12584:14032(1448) ack 462 win 2172 nop,nop,timestamp
3845107508 514120164 (DF)
May 21 23:47:37.544679 rule 8/(match) pass in on athn0: 0.0.0.0.0
0.0.0.0.0: P 14032:15065(1033) ack 462 win 2172 nop,nop,timestamp
3845107508 514120164 (DF)
May 21 23:47:37.544701 rule 8/(match) pass out on athn0: 0.0.0.0.0
0.0.0.0.0: . ack 743781681 win 1918 nop,nop,timestamp 514120165 0 (DF)
May 21 23:47:37.544708 rule 8/(match) pass in on athn0: 0.0.0.0.0
0.0.0.0.0: P 15065:15070(5) ack 462 win 2172 nop,nop,timestamp
3845107508 514120164 (DF)
May 21 23:47:37.742617 rule 8/(match) pass out on athn0: 0.0.0.0.0
0.0.0.0.0: . ack 743781686 win 2048 nop,nop,timestamp 514120165 0 (DF)
^C
29 packets received by filter
0 packets dropped by kernel
---
My pf.conf file (I know there is overlap/over-redundency here):
set block-policy drop
block in log (all, to pflog0) on ! lo0 proto tcp to port 6000:6010
block in quick from urpf-failed
antispoof quick for athn0 inet
block in log (all, to pflog0) all
block out log (all, to pflog0) all
match in all scrub (no-df)
block in log (all, to pflog0) on athn0
pass out log (all, to pflog0) on athn0 proto { tcp udp icmp icmp6 } all
modulate state
--
# pfctl -sr
block drop in log (all) on ! lo0 proto tcp from any to any port 6000:6010
block drop in quick on ! athn0 inet from 192.168.1.0/24 to any
block drop in quick inet from 192.168.1.134 to any
block drop in quick from urpf-failed to any
block drop in log (all) all
block drop out log (all) all
match in all scrub (no-df)
block drop in log (all) on athn0 all
pass out log (all) on athn0 proto tcp all flags S/SA modulate state
pass out log (all) on athn0 proto udp all keep state
pass out log (all) on athn0 proto icmp all keep state
pass out log (all) on athn0 proto ipv6-icmp all keep state
--
