[pfSense] Filter rule and bridge confusion

Jason Pyeron Wed, 01 May 2013 05:17:40 -0700

Given: em0->bridge0->vge0

Given: ssh firewall -n 'tcpdump -i bridge0 -s0 -w -' > /tmp/firewall.pcap &


Given the following rule on em0: block, inf=em0, prot=any, src=alias/DDOS,
dst=any, log=true.

DDOS=<address>95.211.218.211 154.35.160.11 190.93.242.93 195.93.85.27
190.93.248.140 195.214.79.8 50.7.190.51 5.135.240.134 188.138.94.227
199.217.117.55 85.25.22.137 173.242.117.161 185.8.198.10 199.217.117.54
199.19.105.126 85.25.119.6 10.210.10.155 10.210.10.157 15.185.178.177
172.28.19.29 173.236.120.174 176.58.68.177 185.6.18.222 188.161.85.117
188.161.85.16 188.161.85.166 188.161.85.213 188.161.86.124 188.161.86.14
188.161.86.170 188.161.86.222 188.161.86.251 188.161.86.73 188.161.96.13
188.165.206.93 188.66.5.70 197.133.143.21 198.245.60.38 198.245.63.55
23.24.171.209 24.155.165.107 37.8.105.251 37.8.107.197 37.8.112.255 37.8.121.244
37.8.37.230 37.8.37.45 37.8.49.85 37.8.52.59 37.8.57.174 37.8.6.136 5.39.94.62
5.9.122.174 62.75.222.104 79.172.242.199 88.198.25.35 91.121.112.136
91.121.89.80 94.23.217.26 94.23.248.122 99.39.116.218 173.242.117.187
85.25.159.16 182.140.139.251 31.222.133.87 82.145.53.238 109.3.51.194
198.46.60.218 173.236.59.101 72.252.235.17 99.251.26.83 69.122.140.60
188.165.154.75 77.102.192.158 74.192.163.109 68.170.118.24 112.203.156.92
24.140.29.205 67.11.230.142 121.152.52.118 117.79.148.42 121.54.54.136
122.149.185.24 118.42.170.254 108.61.44.114 108.249.101.28 71.51.147.57
24.185.121.232 192.210.230.227 68.33.2.103 178.63.131.134 121.152.52.154
157.55.235.142 208.98.50.2 150.70.98.50 128.9.160.51 103.3.252.22 85.214.147.66
169.229.50.3 120.101.168.2 128.9.168.85 83.220.63.167 198.5.241.54 198.5.241.54
173.46.209.136 173.46.209.180 198.5.241.54 149.154.157.248 120.28.136.159
121.152.52.144 199.217.113.202 98.119.225.15 70.115.247.135 176.227.201.34
112.198.249.40 188.165.94.210 79.255.146.190 108.78.131.190 119.252.191.52
123.243.74.136 82.240.240.28 178.33.2.175 101.165.33.54 5.9.138.50
81.218.230.147</address>

Why do I see many packets from a few of the IPs blocked in my capture on
bridge0? Shouldn't those be blocked at em0 before the bridge?

Ex:

20751   80.507919       31.222.133.87   67.90.184.35    DNS     80      Standard
query ANY ripe.net
20758   80.513292       81.218.230.147  67.90.184.15    DNS     70      Standard
query ANY <Root>

-Jason

--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-                                                               -
- Jason Pyeron                      PD Inc. http://www.pdinc.us -
- Principal Consultant              10 West 24th Street #100    -
- +1 (443) 269-1555 x333            Baltimore, Maryland 21218   -
-                                                               -
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This message is copyright PD Inc, subject to license 20080407P00.


_______________________________________________
List mailing list
[email protected]
http://lists.pfsense.org/mailman/listinfo/list

[pfSense] Filter rule and bridge confusion

Reply via email to