On Sun, Jan 26, 2014 at 04:03:59AM +0400, Vadim Zhukov wrote: > 2014/1/26 Jiri B <ji...@devio.us>: > > Hello, > > > > I'm trying to understand why there's no PF state for a outgoing > > rule dedicated to dnscrypt-proxy (668) daemon. > > > > pf.conf says 'user' option needs effective ID... > > > > # ps -axo uid,ruid,gid,rgid,pid,args | grep dnscrypt > > 688 688 688 688 16665 /usr/local/sbin/dnscrypt-proxy -d > > --local-address=127.0.0.1:5331 --user=_dnscrypt-proxy > > > > # pfctl -sr > > block drop out log quick on egress from ! (egress:0) to any > > anchor "test-out" all > > pass out log quick on egress inet proto udp from any to 208.67.220.220 port > > = 443 user = 688 > > pass out log quick on egress inet proto tcp from any to 208.67.220.220 port > > = 443 user = 688 flags S/SA > > pass out log quick on egress inet proto icmp all icmp-type echoreq > > block drop in log quick from no-route to any > > block drop in log quick from urpf-failed to any > > block drop out log quick all > > block drop in log quick on egress inet from any to 255.255.255.255 > > anchor "test-in" all > > pass in log quick on egress inet proto icmp from any to (egress:0) > > icmp-type echoreq code 0 > > pass in log quick on egress inet proto tcp from any to (egress:0) port = 22 > > flags S/SA > > block drop in log quick all > > > > Now when dnscrypt-proxy tries to make a connection it is blocked. > > Interestingly there's even no logged outgoing connection, but just > > blocked return. > > > > # tcpdump -i pflog0 -n -e -ttt -vv > > tcpdump: WARNING: snaplen raised from 116 to 160 > > tcpdump: listening on pflog0, link-type PFLOG > > Jan 26 00:41:00.884036 rule 7/(match) [uid 0, pid 23524] block out on iwn0: > > [uid 0, pid 16665] 192.168.1.100.10976 > 208.67.220.220.443: udp 512 (ttl > > 64, id 9876, len 540, bad cksum 208! differs by e108) > > > > (from anchor) > > # pfctl -ss > > all tcp 192.168.1.100:16505 -> 66.7.199.108:22 ESTABLISHED:ESTABLISHED > > > > Well it works if I add dnscrypt-proxy rule for root but why? > > Because the socket (hint: <1024) was opened with root rights, and > therefore the uid=0 was saved there.
But dnscrypt-proxy here listens on 5331 port and acts as client, it means it tries to connect to remote port 443. And what about not logged outgoing rule? jirib
