On 2023-10-10 18:28, Alexander Bluhm wrote:
Hi,
If a packet is malformed, it is dropped by pf(4). The rule referenced
in pflog(4) is the default rule. As the default rule is a pass
rule, tcpdump prints "pass" although the packet is actually dropped.
I have reports from genua and OPNsense users who are confused by
the output.
With the diff below we see pass or blocked when the packet is matched
or dropped due to bad fragment respectively.
Hello,
I have experienced something with pf that I think may be related to
this, but I wasn't sure.
When I check my pflog files in WireShark, I note that WireShark displays
this in the "Info" column:
[pass vio0/-1]
Does the "-1" for the rule number mean that this is the implicit/default
rule ?
This is for a packet that is being processed by my default deny rule,
which appears to be a malformed packet, but shows up in WireShark as "pass".
Thanks,
- J
