Hello, </snip> > When I check my pflog files in WireShark, I note that WireShark displays > this in the "Info" column: > > [pass vio0/-1] >
yes, this can be default rule. snippet below comes from pfattach(): 239 /* default rule should never be garbage collected */ 240 pf_default_rule.entries.tqe_prev = &pf_default_rule.entries.tqe_next; 241 pf_default_rule.action = PF_PASS; 242 pf_default_rule.nr = (u_int32_t)-1; 243 pf_default_rule.rtableid = -1; at line 242 the rule number for default rule is initialized to -1. the number never changes. regards sashan On Fri, Oct 13, 2023 at 04:36:25PM -0400, J Doe wrote: > On 2023-10-10 18:28, Alexander Bluhm wrote: > > > Hi, > > > > If a packet is malformed, it is dropped by pf(4). The rule referenced > > in pflog(4) is the default rule. As the default rule is a pass > > rule, tcpdump prints "pass" although the packet is actually dropped. > > I have reports from genua and OPNsense users who are confused by > > the output. > > > > With the diff below we see pass or blocked when the packet is matched > > or dropped due to bad fragment respectively. > > Hello, > > I have experienced something with pf that I think may be related to this, > but I wasn't sure. > > When I check my pflog files in WireShark, I note that WireShark displays > this in the "Info" column: > > [pass vio0/-1] > > Does the "-1" for the rule number mean that this is the implicit/default > rule ? > > This is for a packet that is being processed by my default deny rule, which > appears to be a malformed packet, but shows up in WireShark as "pass". > > Thanks, > > - J >