* Matt Van Mater <matt.vanma...@gmail.com> [2011-08-22 23:14]: > See my configuration at the bottom of this email. I am looking into why my > pflog has these ambiguous entries that show source and destination as all > zeros e.g. 0.0.0.0.0 > 0.0.0.0.0. > > I saw that there was a related thread earlier this year asking questions > that was unresolved/unconfirmed and I would like to get feedback from one of > the developers (Daniel, Henning?) to confirm my suspicions. I believe that > these lines are a result of the log (all) statement, which logs all > subsequent packets in a stateful session (and not just the first packets > matching the rules). If that is true, then IMO the log entries are not very > intuitive or useful without the true source/destination IP Addresses > included... I can't grep for src/dst any more, now I assume I would have to > correlate the session information some other way (e.g. sequence numbers?)
src/dst being 0 is not intended. this would be a bug. > By the way, I tried to post this to the pf mailing list but got bounced back > on the SPAM filters when trying to subscribe. Same goes for when I tried to > email Daniel directly to resolve the issue. Can someone get in touch with > him and inform him of the issue? daniel's last commit is from 4 years ago. I pretty much rewrote pflog since then. ok, I can reproduce. funny enough the addresses are there, kinda. 12:24:20.834247 rule 0/(match) [uid 0, pid 9404] pass in on em1: [orig src 172.16.8.1:22, dst 172.16.7.1:2302] 0.0.0.0.0 > 0.0.0.0.0: . [tcp sum ok] 2741764166:2741764166(0) ack 1558002165 win 2172 <nop,nop,timestamp 3891549029 2732491750> (DF) [tos 0x8] (ttl 64, id 53354, len 52, bad cksum 32f! differs by 6723) as in, we swap in zero-addresses in the non-NAT case. haven't figured out why yet... -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting
