On 19/11/12 14:47, Henning Brauer wrote:
* Kapetanakis Giannis <bil...@edu.physics.uoc.gr> [2012-11-01 13:57]:
Nov 01 12:51:12.724286 rule def/(short) pass in on vlanxxx:
74.206.235.92.0 > xx.xx.xx.xx.0: FPE 1137099714:1137099726(12) ack 0
win 6667 urg 0 (DF)
Nov 01 12:51:21.934774 rule def/(short) pass in on vlanxxx:
74.206.235.92.0 > xx.xx.xx.xx.0: SFW [bad hdr length] (DF)
Nov 01 12:51:26.985783 rule def/(short) pass in on vlanxxx:
74.206.235.92.0 > xx.xx.xx.xx.0: SRPWE 1137099714:1137099730(16) win
apparently something is blocked, but also something is passed since
I still get these mesages
on my pflog.
need to resort to guesswork since your report lacks so much, but it
looks like you are simply misdiagnosing. and I admit it isn't super
obvious. seeing the "bad hdr length", pf will block these.
What about the other lines?
rule def/(short) pass in on vlanxxx: 74.206.235.92.0 > xx.xx.xx.xx.0:
FPE 1137099714:1137099726(12) ack 0 win 6667 urg 0 (DF)
rule def/(short) pass in on vlanxxx: 74.206.235.92.0 > xx.xx.xx.xx.0:
SRPWE 1137099714:1137099730(16) win
the rule
referred to then is the default rule. but we didn't get as far as rule
matching, so that is misleading you.
as said, this is entirely guessed.
What do you mean by default rule?
When I had these logs, the first rule was
block quick from 74.206.235.92
On the other hand, tcpdump on the inner interface showed no traffic
whatsoever from the offending IP,
so pf was indeed blocking the traffic.
Probably the only misleading here is the log. I've quite lost you and
i'm not really sure
a) why do i see these logs?
b) is the traffic is indeed blocked or do I need to put a more special
rule like
block quick from $offending_IP
c) you said we didn't get as afar as rule matching. That stands for "bad
hdr length" ?
thanx
G
