it isn't passed, it is blocked.
not by a rule but by pf itself long before since the header length is
invalid. and since there is no rule to refer to it refers to the
default rule.
* David Diggles <da...@elven.com.au> [2013-01-16 08:43]:
> Hello List,
>
> I just got a similar event in my pflog.
>
> Jan 16 16:08:02.435283 rule def/(short) pass in on pppoe0: 50.112.59.10.0 >
> 59.167.212.41.0: SFRWE [bad hdr length]
>
> I don't know what this is, or why it is passed.
>
> Can someone explain or attempt a guess at what this is?
>
> The intention of my pf.conf is to block all incoming
> by default on pppoe0.
>
> Am I doing something really stupid here?
>
> /etc/hostname.carp1
> inet 172.75.100.1 255.255.255.0 172.25.101.255 balancing ip-stealth carpnodes
> 1:0,2:100 pass secret1
> group dmz
>
> /etc/hostname.carp2
> inet 172.25.100.1 255.255.255.0 172.25.100.255 balancing ip-stealth carpnodes
> 4:0,5:100 pass secret2
> group lan
>
> /etc/hostname.em0
> up mtu 1508
>
> /etc/hostname.em1
> inet 172.75.100.4 255.255.255.0
> group dmz
>
> /etc/hostname.em2
> inet 172.25.100.4 255.255.255.0
> group lan
>
> /etc/hostname.pppoe0
> inet 59.167.212.41 255.255.255.255 NONE mtu 1500 \
> pppoedev em0 authproto pap \
> authname pppoeuser authkey pppoepass up
> dest 0.0.0.1
> !/sbin/route add default -ifp pppoe0 0.0.0.1
> !/sbin/route add -inet6 default -ifp pppoe0 ::1
>
> /etc/pf.conf
> #-----------------------------------------------------------------------
> # defaults
> #-----------------------------------------------------------------------
> table <rfc1918> const { 192.168/16 172.16/12 10/8 }
> table <dmz> const { dmz:network }
> table <lan> const { lan:network }
> set loginterface egress
> set skip on lo
> block in quick on egress from <rfc1918>
> antispoof log quick for { pppoe0 em0 }
> pass
> block quick on egress proto carp
> block quick on { egress dmz } inet6
> block in log on { egress dmz }
> #-----------------------------------------------------------------------
> # ack priority
> #-----------------------------------------------------------------------
> match on egress inet proto tcp prio(1,7)
> #-----------------------------------------------------------------------
> # sand blasting
> #-----------------------------------------------------------------------
> match in on egress scrub (reassemble tcp)
> #match in on { egress dmz } scrub (reassemble tcp)
> #match on egress scrub (max-mss 1440)
>
> #-----------------------------------------------------------------------
> # translation and redirections
> #-----------------------------------------------------------------------
> match out on egress nat-to (egress)
> match in on { lan dmz } inet proto tcp to ! bincrow.net \
> port www rdr-to localhost port 8080
> match in on { lan dmz } inet proto tcp to bincrow.net \
> port www rdr-to localhost
> match in on { lan dmz } inet to bincrow.net rdr-to localhost
> #-----------------------------------------------------------------------
> # incoming port forwards
> #-----------------------------------------------------------------------
> # torrent
> pass in on egress inet proto tcp to egress port 6881 rdr-to meile \
> modulate state
> pass in on egress inet proto udp to egress port 6881 rdr-to meile \
> keep state
> #-----------------------------------------------------------------------
> # allow anyone to this
> #-----------------------------------------------------------------------
> pass in on egress inet proto tcp from any to egress port www \
> modulate state
> #-----------------------------------------------------------------------
> # dns
> #-----------------------------------------------------------------------
> table <dns-white> persist file "/etc/pf/dns-white"
> pass in on egress inet proto { tcp udp } from \
> <dns-white> to egress port domain
> pass in on dmz inet proto { tcp udp } from \
> <dmz> to dmz port domain
> #-----------------------------------------------------------------------
> # ntp
> #-----------------------------------------------------------------------
> pass in on dmz inet proto { tcp udp } from <dmz> \
> to dmz port { daytime time ntp }
> #-----------------------------------------------------------------------
> # ssh - whitelist, and rate limit overflows into blacklist
> #-----------------------------------------------------------------------
> table <ssh-black> persist file "/etc/pf/ssh-black"
> table <ssh-white> persist file "/etc/pf/ssh-white"
> pass in log on { egress dmz } inet proto tcp from <ssh-white> to \
> port ssh rdr-to localhost
> pass in log on { egress dmz } inet proto tcp from !<ssh-black> to \
> port ssh rdr-to localhost keep state \
> (max-src-conn-rate 1/30, overload <ssh-black> flush)
> #-----------------------------------------------------------------------
> # imaps - whitelist, and rate limit overflows into blacklist
> #-----------------------------------------------------------------------
> table <imaps-black> persist file "/etc/pf/imaps-black"
> table <imaps-white> persist file "/etc/pf/imaps-white"
> pass in log on { egress dmz } inet proto tcp from <imaps-white> to \
> port imaps rdr-to localhost
> pass in log on { egress dmz } inet proto tcp from !<imaps-black> to \
> port imaps rdr-to localhost keep state \
> (max-src-conn-rate 2/1, overload <imaps-black> flush)
> #-----------------------------------------------------------------------
> # squid - whitelist
> #-----------------------------------------------------------------------
> table <squid-white> persist file "/etc/pf/squid-white"
> pass in on egress inet proto tcp from <squid-white> to egress port 8080
> #-----------------------------------------------------------------------
> # allow these to everything
> #-----------------------------------------------------------------------
> table <authpf_users> persist
> table <all-egress> persist file "/etc/pf/all-egress"
> pass in on egress from { <authpf_users> <all-egress> } to egress
> table <all-dmz> persist file "/etc/pf/all-dmz"
> pass in on dmz from { <authpf_users> <all-dmz> } to any
> #-----------------------------------------------------------------------
> # smtp - spamd gatekeeps sendmail
> #-----------------------------------------------------------------------
> table <nospamd> persist file "/etc/mail/nospamd"
> table <spamd-white> persist
> pass in on egress proto tcp from any to egress port smtp \
> rdr-to localhost port spamd
> pass in log on egress proto tcp from { <nospamd> <spamd-white> } \
> to egress port smtp modulate state
> pass out log on egress proto tcp to any port smtp modulate state
> #-----------------------------------------------------------------------
> # smtp - direct to sendmail
> #-----------------------------------------------------------------------
> #pass in log on egress proto tcp from any \
> # to egress port smtp modulate state
> #pass out log on egress proto tcp to any port smtp modulate state
>
> On Mon, Nov 19, 2012 at 01:47:09PM +0100, Henning Brauer wrote:
> > * Kapetanakis Giannis <bil...@edu.physics.uoc.gr> [2012-11-01 13:57]:
> > > Nov 01 12:51:10.857175 rule def/(short) pass in on vlanxxx:
> > > 74.206.235.92.0 > xx.xx.xx.xx.0: FPE [bad hdr length] (DF)
> > > Nov 01 12:51:12.724286 rule def/(short) pass in on vlanxxx:
> > > 74.206.235.92.0 > xx.xx.xx.xx.0: FPE 1137099714:1137099726(12) ack 0
> > > win 6667 urg 0 (DF)
> > > Nov 01 12:51:14.027193 rule def/(short) pass in on vlanxxx:
> > > 74.206.235.92.0 > xx.xx.xx.xx.0: SFR [bad hdr length] (DF)
> > > Nov 01 12:51:15.692047 rule def/(short) pass in on vlanxxx:
> > > 74.206.235.92.0 > xx.xx.xx.xx.0: RPWE [bad hdr length] (DF)
> > > Nov 01 12:51:16.121181 rule def/(short) pass in on vlanxxx:
> > > 74.206.235.92.0 > xx.xx.xx.xx.0: SFPW [bad hdr length] (DF)
> > > Nov 01 12:51:17.962807 rule def/(short) pass in on vlanxxx:
> > > 74.206.235.92.0 > xx.xx.xx.xx.0: SE [bad hdr length] (DF)
> > > Nov 01 12:51:21.934774 rule def/(short) pass in on vlanxxx:
> > > 74.206.235.92.0 > xx.xx.xx.xx.0: SFW [bad hdr length] (DF)
> > > Nov 01 12:51:26.985783 rule def/(short) pass in on vlanxxx:
> > > 74.206.235.92.0 > xx.xx.xx.xx.0: SRPWE 1137099714:1137099730(16) win
> >
> > > apparently something is blocked, but also something is passed since
> > > I still get these mesages
> > > on my pflog.
> >
> > need to resort to guesswork since your report lacks so much, but it
> > looks like you are simply misdiagnosing. and I admit it isn't super
> > obvious. seeing the "bad hdr length", pf will block these. the rule
> > referred to then is the default rule. but we didn't get as far as rule
> > matching, so that is misleading you.
> >
> > as said, this is entirely guessed.
> >
> > --
> > Henning Brauer, h...@bsws.de, henn...@openbsd.org
> > BS Web Services, http://bsws.de, Full-Service ISP
> > Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully
> > Managed
> > Henning Brauer Consulting, http://henningbrauer.com/
>
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/
