tcpdump shows packets going from 0.0.0.0.0 > 0.0.0.0.0, what does this mean?

[Brett Mahar]

Hi misc,

I have been playing around with pf lately, and have noticed a bunch of 
packets going from 0.0.0.0.0 to 0.0.0.0.0. I know 0.0.0.0 sometimes 
means the network address, but am not sure why these packets are getting 
through the firewall, or even if they are.

Also, when tcpdump says (for example) "rule 8" does that mean the 8th 
line in the output of pfctl -sr?

I cannot find an explanation on website or man pages.

Cheers,
Brett.

PS Happy birthday, Theo, I will buy a tshirt and a cd set (once I've got 
a new job!)

---------

Output from tcpdump:

tcpdump -n -e -ttt -i pflog0

May 21 23:47:37.376825 rule 8/(match) pass out on athn0: 0.0.0.0.0 > 
0.0.0.0.0: . ack 743779200 win 1927 <nop,nop,timestamp 514120164 0> (DF)
May 21 23:47:37.540667 rule 8/(match) pass in on athn0: 0.0.0.0.0 > 
0.0.0.0.0: . 12584:14032(1448) ack 462 win 2172 <nop,nop,timestamp 
3845107508 514120164> (DF)
May 21 23:47:37.544679 rule 8/(match) pass in on athn0: 0.0.0.0.0 > 
0.0.0.0.0: P 14032:15065(1033) ack 462 win 2172 <nop,nop,timestamp 
3845107508 514120164> (DF)
May 21 23:47:37.544701 rule 8/(match) pass out on athn0: 0.0.0.0.0 > 
0.0.0.0.0: . ack 743781681 win 1918 <nop,nop,timestamp 514120165 0> (DF)
May 21 23:47:37.544708 rule 8/(match) pass in on athn0: 0.0.0.0.0 > 
0.0.0.0.0: P 15065:15070(5) ack 462 win 2172 <nop,nop,timestamp 
3845107508 514120164> (DF)
May 21 23:47:37.742617 rule 8/(match) pass out on athn0: 0.0.0.0.0 > 
0.0.0.0.0: . ack 743781686 win 2048 <nop,nop,timestamp 514120165 0> (DF)
^C
29 packets received by filter
0 packets dropped by kernel
-----------
My pf.conf file (I know there is overlap/over-redundency here):

set block-policy drop

block in log (all, to pflog0) on ! lo0 proto tcp to port 6000:6010

block in quick from urpf-failed

antispoof quick for athn0 inet

block in log (all, to pflog0) all
block out log (all, to pflog0) all

match in all scrub (no-df)

block in log (all, to pflog0) on athn0

pass out log (all, to pflog0) on athn0 proto { tcp udp icmp icmp6 } all 
modulate state

----------
# pfctl -sr
block drop in log (all) on ! lo0 proto tcp from any to any port 6000:6010
block drop in quick on ! athn0 inet from 192.168.1.0/24 to any
block drop in quick inet from 192.168.1.134 to any
block drop in quick from urpf-failed to any
block drop in log (all) all
block drop out log (all) all
match in all scrub (no-df)
block drop in log (all) on athn0 all
pass out log (all) on athn0 proto tcp all flags S/SA modulate state
pass out log (all) on athn0 proto udp all keep state
pass out log (all) on athn0 proto icmp all keep state
pass out log (all) on athn0 proto ipv6-icmp all keep state

----------------------------------------------------------------------------------------------