Confirmation: the rules 44 blocks @42 block drop in log on bge1 all [ Evaluations: 32122 Packets: 17 Bytes: 1428 States: 0 ] [ Inserted: uid 0 pid 9178 State Creations: 0 ] @43 block drop out log on bge1 all [ Evaluations: 45 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 9178 State Creations: 0 ] @44 block drop in log on em0 all [ Evaluations: 32122 Packets: 28857 Bytes: 13154820 States: 0 ] [ Inserted: uid 0 pid 9178 State Creations: 0 ] @45 block drop out log on em0 all [ Evaluations: 29572 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 9178 State Creations: 0 ] @46 block drop in quick on bge0 inet from 172.30.251.33 to any [ Evaluations: 32122 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 9178 State Creations: 0 ] @47 block drop in quick on bge0 inet from 10.33.15.33 to any [ Evaluations: 2461 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 9178 State Creations: 0 ] @48 block drop in quick on em0 inet from 172.30.251.33 to any [ Evaluations: 32086 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 9178 State Creations: 0 ] @49 block drop in quick on em0 inet from 10.33.15.33 to any [ Evaluations: 29369 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 9178 State Creations: 0 ]
--- some pass in quick inet proto tcp from IP to any port = ssh flags S/SA keep state @65 block return-rst in quick inet proto tcp from any to 127.0.0.1 port = ssh [ Evaluations: 28667 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 9178 State Creations: 0 ] @66 block return-rst in quick inet proto tcp from any to IP port = ssh [ Evaluations: 28667 Packets: 2 Bytes: 120 States: 0 ] [ Inserted: uid 0 pid 9178 State Creations: 0 ] @67 block return-rst in quick inet proto tcp from any to 10.33.15.4 port = ssh [ Evaluations: 28650 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 9178 State Creations: 0 ] @68 block return-rst in quick inet proto tcp from any to 172.30.251.4 port = ssh [ Evaluations: 28650 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 9178 State Creations: 0 ] And then the pass rules And the rules @117 pass in on em0 inet from 172.30.251.0/24 to 172.30.251.0/24 flags S/SA keep state [ Evaluations: 16 Packets: 2 Bytes: 480 States: 2 ] [ Inserted: uid 0 pid 9378 State Creations: 2 ] @118 pass out on em0 inet from 172.30.251.0/24 to 172.30.251.0/24 flags S/SA keep state [ Evaluations: 3 Packets: 1 Bytes: 28 States: 1 ] [ Inserted: uid 0 pid 9378 State Creations: 1 ] You're right, this seems the filter are not loaded, and the firewall seems to stop at rules 44. I have still check the pf.conf with od -c but didn't find any special chars Regards -----Message d'origine----- De : Woodchuck [mailto:mar...@pennswoods.net] Envoyi : mardi 18 ao{t 2009 18:02 @ : Rioux, Christophe Objet : Re: Some strange blocking packets On Tue, Aug 18, 2009 at 10:56 AM, Rioux, Christophe<cri...@viseo.net> wrote: > Hi, > > I have some strange packet filtering on an openbsd 4.4 > > at the beginning a normal block all (not a "block in quick", but only > a "block > in") > > block in log on em0 all > block out log on em0 all > > then I autorise some traffic: > > pass in on em0 from "172.30.251.0/24" > to "172.30.251.0/24" keep state > pass out on em0 from "172.30.251.0/24" > to "172.30.251.0/24" keep state > > > If I log the result, I see: > > Aug 17 17:41:02.521407 rule 44/(match) block in on em0: > 172.30.251.131.2715 > > 172.30.251.141.2146: [|tcp] > => rule 42 is the rule "block in log on em0 all". > > I worked with macros and I check the result with an pfctl -s rules => > evry thing is ok > > pass in on em0 inet from 172.30.251.0/24 to 172.30.251.0/24 flags S/SA > keep state pass out on em0 inet from 172.30.251.0/24 to > 172.30.251.0/24 flags S/SA keep state > > An idea ? > > Regards > Christophe Somebody will doubtless want to look at the other 40+ rules. It seems odd that "block in all on em0" ended up as rule 44. Dave -- Caution, this account is hosted by gmail. Strangers scan the content of all mail transiting such accounts.
