2014/1/26 Jiri B <ji...@devio.us>: > Hello, > > I'm trying to understand why there's no PF state for a outgoing > rule dedicated to dnscrypt-proxy (668) daemon. > > pf.conf says 'user' option needs effective ID... > > # ps -axo uid,ruid,gid,rgid,pid,args | grep dnscrypt > 688 688 688 688 16665 /usr/local/sbin/dnscrypt-proxy -d > --local-address=127.0.0.1:5331 --user=_dnscrypt-proxy > > # pfctl -sr > block drop out log quick on egress from ! (egress:0) to any > anchor "test-out" all > pass out log quick on egress inet proto udp from any to 208.67.220.220 port = > 443 user = 688 > pass out log quick on egress inet proto tcp from any to 208.67.220.220 port = > 443 user = 688 flags S/SA > pass out log quick on egress inet proto icmp all icmp-type echoreq > block drop in log quick from no-route to any > block drop in log quick from urpf-failed to any > block drop out log quick all > block drop in log quick on egress inet from any to 255.255.255.255 > anchor "test-in" all > pass in log quick on egress inet proto icmp from any to (egress:0) icmp-type > echoreq code 0 > pass in log quick on egress inet proto tcp from any to (egress:0) port = 22 > flags S/SA > block drop in log quick all > > Now when dnscrypt-proxy tries to make a connection it is blocked. > Interestingly there's even no logged outgoing connection, but just > blocked return. > > # tcpdump -i pflog0 -n -e -ttt -vv > tcpdump: WARNING: snaplen raised from 116 to 160 > tcpdump: listening on pflog0, link-type PFLOG > Jan 26 00:41:00.884036 rule 7/(match) [uid 0, pid 23524] block out on iwn0: > [uid 0, pid 16665] 192.168.1.100.10976 > 208.67.220.220.443: udp 512 (ttl 64, > id 9876, len 540, bad cksum 208! differs by e108) > > (from anchor) > # pfctl -ss > all tcp 192.168.1.100:16505 -> 66.7.199.108:22 ESTABLISHED:ESTABLISHED > > Well it works if I add dnscrypt-proxy rule for root but why?
Because the socket (hint: <1024) was opened with root rights, and therefore the uid=0 was saved there. -- WBR, Vadim Zhukov
