On 10 May 2014, at 15:14, Brandon Vincent <brandon.vinc...@asu.edu> wrote:
> Doug, > > As long as you are on the same LAN/broadcast domain, it would be pretty easy > to use a program like Nmap with the "-S, --source-ip" parameter to spoof the > source IP. > > Would you mind sharing the rule that caused this problem? > > Brandon Vincent > > > On Sat, May 10, 2014 at 2:34 PM, Doug Hardie <bc...@lafn.org> wrote: > I have a pf rule (FreeBSD 9.2) that uses a table to block access from > specific networks. This morning I found the following situation: > > 12 attempts from an address in one of the blocked network to access the > server. All were blocked and marked as such with the proper rule number in > pflog. > > 10 succeeding connections that were passed through to the port. These were > logged by the process listening on that port. > > There were no changes to the rules, reboots, etc. during that time. This all > transpired in about 10 minutes. A dump of the table shows the proper address > range. I am not logging the pass throughs so only the original 12 blocks are > in the logs. I have never seen anything like this in the past. Is there > some way I can test a specific IP address and have pf tell me what it would > do if it received a packet from that address? > nmap does a good test. Took awhile to figure out how to make it spoof properly though. Unfortunately I can't make pf fail. It blocks everything I send from that range. I guess I'll just have to monitor this a lot closer. _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
