Re: bidirectional NAT in PF?
David DeSimone wrote: I think I am using the wrong terminology. I should probably call it "double NAT" to differentiate it. "binat" works fine but it still only changes ONE of the IP's being translated (the source IP). In PF, you can use "nat" to translate the source IP, and "redir" to change the dest IP, but what if you want to change both? There is no direct way to do this, so I am wondering if two different rules could be matched at different times during the packet's transit through the gateway. the common way is to use two rules: a nat and an rdr. This is used to fix the "reflection problem" for instance. I have used it with ipfilter in the past (though not for a reflection issue, but for a dmz setup), but I guess it works similarly on pf and other filters. ___ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"
FreeBSD 7.1-PRERELEASE Trouble
PF doesn't block some IP
=== pf.conf ===
ext_if="bge0"
table { 78.107.71.38 89.179.195.34 }
block quick from
pass out
pass in
=== pf.conf ===
# pfctl -e -f /etc/pf.conf
# tcpdump -netxi bge0 host 89.179.195.34
00:1a:a1:69:35:43 > 00:1c:c4:81:2f:9e, ethertype IPv4 (0x0800), length 69:
89.179.195.34.2357 > 195.14.50.21.53: 35869+ A? emils.com. (27)
0x: 4500 0037 3034 3811 4089 59b3 c322
0x0010: c30e 3215 0935 0035 0023 0314 8c1d 0100
0x0020: 0001 0565 6d69 6c73 0363
0x0030: 6f6d 0100 01
00:1c:c4:81:2f:9e > 00:00:0c:07:ac:00, ethertype IPv4 (0x0800), length 84:
195.14.50.21.53 > 89.179.195.34.2357: 48025 ServFail 0/0/1 (42)
0x: 4500 0046 84a8 4011 c30e 3215
0x0010: 59b3 c322 0035 0935 0032 c7de bb99 8182
0x0020: 0001 0001 0377 0565 6d69
0x0030: 6c73 0363 6f6d 0100 0100 0029 1000
0x0040:
00:1c:c4:81:2f:9e > 00:00:0c:07:ac:00, ethertype IPv4 (0x0800), length 73:
195.14.50.21.53 > 89.179.195.34.2357: 22012 ServFail 0/0/0 (31)
0x: 4500 003b 84a9 4011 c30e 3215
0x0010: 59b3 c322 0035 0935 0027 3dbc 55fc 8182
0x0020: 0001 0377 0565 6d69
0x0030: 6c73 0363 6f6d 0100 01
00:1c:c4:81:2f:9e > 00:00:0c:07:ac:00, ethertype IPv4 (0x0800), length 69:
195.14.50.21.53 > 89.179.195.34.2357: 35869 ServFail 0/0/0 (27)
0x: 4500 0037 84ac 4011 c30e 3215
0x0010: 59b3 c322 0035 0935 0023 8291 8c1d 8182
0x0020: 0001 0565 6d69 6c73 0363
0x0030: 6f6d 0100 01
00:1a:a1:69:35:43 > 00:1c:c4:81:2f:9e, ethertype IPv4 (0x0800), length 73:
89.179.195.34.2357 > 195.14.50.21.53: 48025+ A? www.emils.com. (31)
0x: 4500 003b 3035 3811 4084 59b3 c322
0x0010: c30e 3215 0935 0035 0027 58a1 bb99 0100
0x0020: 0001 0377 0565 6d69
0x0030: 6c73 0363 6f6d 0100 01
00:1c:c4:81:2f:9e > 00:00:0c:07:ac:00, ethertype IPv4 (0x0800), length 73:
195.14.50.21.53 > 89.179.195.34.2357: 48025 ServFail 0/0/0 (31)
0x: 4500 003b 84ae 4011 c30e 3215
0x0010: 59b3 c322 0035 0935 0027 d81e bb99 8182
0x0020: 0001 0377 0565 6d69
0x0030: 6c73 0363 6f6d 0100 01
tcpdump -netxi bge0 host 78.107.71.38
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on bge0, link-type EN10MB (Ethernet), capture size 96 bytes
00:1a:a1:69:35:43 > 00:1c:c4:81:2f:9e, ethertype IPv4 (0x0800), length 94:
78.107.71.38.37367 > 195.14.50.21.53: 38168+ A?
nc-71-51-232-31.dhcp.embarqhsd.net. (52)
0x: 4500 0050 ae4f 4000 3b11 0699 4e6b 4726
0x0010: c30e 3215 91f7 0035 003c e6ca 9518 0100
0x0020: 0001 0f6e 632d 3731 2d35
0x0030: 312d 3233 322d 3331 0464 6863 7009 656d
0x0040: 6261 7271 6873 6403 6e65 7400 0001 0001
00:1a:a1:69:35:43 > 00:1c:c4:81:2f:9e, ethertype IPv4 (0x0800), length 89:
78.107.71.38.37368 > 195.14.50.21.53: 50276+ A?
166.156.122.89.bl.spamcop.net. (47)
0x: 4500 004b ae68 4000 3b11 0685 4e6b 4726
0x0010: c30e 3215 91f8 0035 0037 18d5 c464 0100
0x0020: 0001 0331 3636 0331 3536
0x0030: 0331 3232 0238 3902 626c 0773 7061 6d63
0x0040: 6f70 036e 6574 0100 01
Add to pf.conf
block quick from 89.179.195.34 - same, doesn't work.
May be trouble in config?
___
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: FreeBSD 7.1-PRERELEASE Trouble
On Mon, Sep 08, 2008 at 07:13:35PM +0400, Dmitry Rybin wrote:
> PF doesn't block some IP
>
> === pf.conf ===
>
> ext_if="bge0"
> table { 78.107.71.38 89.179.195.34 }
>
> block quick from
> pass out
> pass in
> === pf.conf ===
>
> # pfctl -e -f /etc/pf.conf
>
> # tcpdump -netxi bge0 host 89.179.195.34
> 00:1a:a1:69:35:43 > 00:1c:c4:81:2f:9e, ethertype IPv4 (0x0800), length 69:
> 89.179.195.34.2357 > 195.14.50.21.53: 35869+ A? emils.com. (27)
> 0x: 4500 0037 3034 3811 4089 59b3 c322
> 0x0010: c30e 3215 0935 0035 0023 0314 8c1d 0100
> 0x0020: 0001 0565 6d69 6c73 0363
> 0x0030: 6f6d 0100 01
> 00:1c:c4:81:2f:9e > 00:00:0c:07:ac:00, ethertype IPv4 (0x0800), length 84:
> 195.14.50.21.53 > 89.179.195.34.2357: 48025 ServFail 0/0/1 (42)
> 0x: 4500 0046 84a8 4011 c30e 3215
> 0x0010: 59b3 c322 0035 0935 0032 c7de bb99 8182
> 0x0020: 0001 0001 0377 0565 6d69
> 0x0030: 6c73 0363 6f6d 0100 0100 0029 1000
> 0x0040:
> 00:1c:c4:81:2f:9e > 00:00:0c:07:ac:00, ethertype IPv4 (0x0800), length 73:
> 195.14.50.21.53 > 89.179.195.34.2357: 22012 ServFail 0/0/0 (31)
> 0x: 4500 003b 84a9 4011 c30e 3215
> 0x0010: 59b3 c322 0035 0935 0027 3dbc 55fc 8182
> 0x0020: 0001 0377 0565 6d69
> 0x0030: 6c73 0363 6f6d 0100 01
> 00:1c:c4:81:2f:9e > 00:00:0c:07:ac:00, ethertype IPv4 (0x0800), length 69:
> 195.14.50.21.53 > 89.179.195.34.2357: 35869 ServFail 0/0/0 (27)
> 0x: 4500 0037 84ac 4011 c30e 3215
> 0x0010: 59b3 c322 0035 0935 0023 8291 8c1d 8182
> 0x0020: 0001 0565 6d69 6c73 0363
> 0x0030: 6f6d 0100 01
> 00:1a:a1:69:35:43 > 00:1c:c4:81:2f:9e, ethertype IPv4 (0x0800), length 73:
> 89.179.195.34.2357 > 195.14.50.21.53: 48025+ A? www.emils.com. (31)
> 0x: 4500 003b 3035 3811 4084 59b3 c322
> 0x0010: c30e 3215 0935 0035 0027 58a1 bb99 0100
> 0x0020: 0001 0377 0565 6d69
> 0x0030: 6c73 0363 6f6d 0100 01
> 00:1c:c4:81:2f:9e > 00:00:0c:07:ac:00, ethertype IPv4 (0x0800), length 73:
> 195.14.50.21.53 > 89.179.195.34.2357: 48025 ServFail 0/0/0 (31)
> 0x: 4500 003b 84ae 4011 c30e 3215
> 0x0010: 59b3 c322 0035 0935 0027 d81e bb99 8182
> 0x0020: 0001 0377 0565 6d69
> 0x0030: 6c73 0363 6f6d 0100 01
>
> tcpdump -netxi bge0 host 78.107.71.38
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on bge0, link-type EN10MB (Ethernet), capture size 96 bytes
> 00:1a:a1:69:35:43 > 00:1c:c4:81:2f:9e, ethertype IPv4 (0x0800), length 94:
> 78.107.71.38.37367 > 195.14.50.21.53: 38168+ A?
> nc-71-51-232-31.dhcp.embarqhsd.net. (52)
> 0x: 4500 0050 ae4f 4000 3b11 0699 4e6b 4726
> 0x0010: c30e 3215 91f7 0035 003c e6ca 9518 0100
> 0x0020: 0001 0f6e 632d 3731 2d35
> 0x0030: 312d 3233 322d 3331 0464 6863 7009 656d
> 0x0040: 6261 7271 6873 6403 6e65 7400 0001 0001
> 00:1a:a1:69:35:43 > 00:1c:c4:81:2f:9e, ethertype IPv4 (0x0800), length 89:
> 78.107.71.38.37368 > 195.14.50.21.53: 50276+ A?
> 166.156.122.89.bl.spamcop.net. (47)
> 0x: 4500 004b ae68 4000 3b11 0685 4e6b 4726
> 0x0010: c30e 3215 91f8 0035 0037 18d5 c464 0100
> 0x0020: 0001 0331 3636 0331 3536
> 0x0030: 0331 3232 0238 3902 626c 0773 7061 6d63
> 0x0040: 6f70 036e 6574 0100 01
>
> Add to pf.conf
> block quick from 89.179.195.34 - same, doesn't work.
>
> May be trouble in config?
Please show the output of "pfctl -s rules".
--
| Jeremy Chadwickjdc at parodius.com |
| Parodius Networking http://www.parodius.com/ |
| UNIX Systems Administrator Mountain View, CA, USA |
| Making life hard for others since 1977. PGP: 4BD6C0CB |
___
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: FreeBSD 7.1-PRERELEASE Trouble
On Mon, Sep 08, 2008 at 08:51:39AM -0700, Jeremy Chadwick wrote:
> On Mon, Sep 08, 2008 at 07:13:35PM +0400, Dmitry Rybin wrote:
> > PF doesn't block some IP
> >
> > === pf.conf ===
> >
> > ext_if="bge0"
> > table { 78.107.71.38 89.179.195.34 }
> >
> > block quick from
> > pass out
> > pass in
> > === pf.conf ===
> >
> > # pfctl -e -f /etc/pf.conf
> >
> > # tcpdump -netxi bge0 host 89.179.195.34
> > 00:1a:a1:69:35:43 > 00:1c:c4:81:2f:9e, ethertype IPv4 (0x0800), length 69:
> > 89.179.195.34.2357 > 195.14.50.21.53: 35869+ A? emils.com. (27)
> > 0x: 4500 0037 3034 3811 4089 59b3 c322
> > 0x0010: c30e 3215 0935 0035 0023 0314 8c1d 0100
> > 0x0020: 0001 0565 6d69 6c73 0363
> > 0x0030: 6f6d 0100 01
> > 00:1c:c4:81:2f:9e > 00:00:0c:07:ac:00, ethertype IPv4 (0x0800), length 84:
> > 195.14.50.21.53 > 89.179.195.34.2357: 48025 ServFail 0/0/1 (42)
> > 0x: 4500 0046 84a8 4011 c30e 3215
> > 0x0010: 59b3 c322 0035 0935 0032 c7de bb99 8182
> > 0x0020: 0001 0001 0377 0565 6d69
> > 0x0030: 6c73 0363 6f6d 0100 0100 0029 1000
> > 0x0040:
> > 00:1c:c4:81:2f:9e > 00:00:0c:07:ac:00, ethertype IPv4 (0x0800), length 73:
> > 195.14.50.21.53 > 89.179.195.34.2357: 22012 ServFail 0/0/0 (31)
> > 0x: 4500 003b 84a9 4011 c30e 3215
> > 0x0010: 59b3 c322 0035 0935 0027 3dbc 55fc 8182
> > 0x0020: 0001 0377 0565 6d69
> > 0x0030: 6c73 0363 6f6d 0100 01
> > 00:1c:c4:81:2f:9e > 00:00:0c:07:ac:00, ethertype IPv4 (0x0800), length 69:
> > 195.14.50.21.53 > 89.179.195.34.2357: 35869 ServFail 0/0/0 (27)
> > 0x: 4500 0037 84ac 4011 c30e 3215
> > 0x0010: 59b3 c322 0035 0935 0023 8291 8c1d 8182
> > 0x0020: 0001 0565 6d69 6c73 0363
> > 0x0030: 6f6d 0100 01
> > 00:1a:a1:69:35:43 > 00:1c:c4:81:2f:9e, ethertype IPv4 (0x0800), length 73:
> > 89.179.195.34.2357 > 195.14.50.21.53: 48025+ A? www.emils.com. (31)
> > 0x: 4500 003b 3035 3811 4084 59b3 c322
> > 0x0010: c30e 3215 0935 0035 0027 58a1 bb99 0100
> > 0x0020: 0001 0377 0565 6d69
> > 0x0030: 6c73 0363 6f6d 0100 01
> > 00:1c:c4:81:2f:9e > 00:00:0c:07:ac:00, ethertype IPv4 (0x0800), length 73:
> > 195.14.50.21.53 > 89.179.195.34.2357: 48025 ServFail 0/0/0 (31)
> > 0x: 4500 003b 84ae 4011 c30e 3215
> > 0x0010: 59b3 c322 0035 0935 0027 d81e bb99 8182
> > 0x0020: 0001 0377 0565 6d69
> > 0x0030: 6c73 0363 6f6d 0100 01
> >
> > tcpdump -netxi bge0 host 78.107.71.38
> > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> > listening on bge0, link-type EN10MB (Ethernet), capture size 96 bytes
> > 00:1a:a1:69:35:43 > 00:1c:c4:81:2f:9e, ethertype IPv4 (0x0800), length 94:
> > 78.107.71.38.37367 > 195.14.50.21.53: 38168+ A?
> > nc-71-51-232-31.dhcp.embarqhsd.net. (52)
> > 0x: 4500 0050 ae4f 4000 3b11 0699 4e6b 4726
> > 0x0010: c30e 3215 91f7 0035 003c e6ca 9518 0100
> > 0x0020: 0001 0f6e 632d 3731 2d35
> > 0x0030: 312d 3233 322d 3331 0464 6863 7009 656d
> > 0x0040: 6261 7271 6873 6403 6e65 7400 0001 0001
> > 00:1a:a1:69:35:43 > 00:1c:c4:81:2f:9e, ethertype IPv4 (0x0800), length 89:
> > 78.107.71.38.37368 > 195.14.50.21.53: 50276+ A?
> > 166.156.122.89.bl.spamcop.net. (47)
> > 0x: 4500 004b ae68 4000 3b11 0685 4e6b 4726
> > 0x0010: c30e 3215 91f8 0035 0037 18d5 c464 0100
> > 0x0020: 0001 0331 3636 0331 3536
> > 0x0030: 0331 3232 0238 3902 626c 0773 7061 6d63
> > 0x0040: 6f70 036e 6574 0100 01
> >
> > Add to pf.conf
> > block quick from 89.179.195.34 - same, doesn't work.
> >
> > May be trouble in config?
>
> Please show the output of "pfctl -s rules".
Also, you might want to ensure the entries in the table are getting hit:
pfctl -T show -t dnsflood -v
If the counters for Block are getting incremented, then the rule is
working.
What might be happening is pf has a state table entry which is allowing
the machine in table to still continue sending packets to it,
on the same TCP/UDP socket as before.
You can verify this by using "pfctl -s state | grep ip"
To remove the states, use pfctl -k ip.
--
| Jeremy Chadwickjdc at parodius.com |
| Parodius Networking http://www.parodius.com/ |
| UNIX Systems Administrator Mountain View, CA, USA |
| Making life hard for others since 1977. PGP: 4BD6C0CB |
___
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: FreeBSD 7.1-PRERELEASE Trouble
Hello,
Dmitry Rybin wrote:
> PF doesn't block some IP
>
> === pf.conf ===
>
> ext_if="bge0"
> table { 78.107.71.38 89.179.195.34 }
Afaik you need to separate them with a comma (,)
-- Jille
>
> block quick from
> pass out
> pass in
> === pf.conf ===
>
> # pfctl -e -f /etc/pf.conf
>
> # tcpdump -netxi bge0 host 89.179.195.34
> 00:1a:a1:69:35:43 > 00:1c:c4:81:2f:9e, ethertype IPv4 (0x0800), length 69:
> 89.179.195.34.2357 > 195.14.50.21.53: 35869+ A? emils.com. (27)
> 0x: 4500 0037 3034 3811 4089 59b3 c322
> 0x0010: c30e 3215 0935 0035 0023 0314 8c1d 0100
> 0x0020: 0001 0565 6d69 6c73 0363
> 0x0030: 6f6d 0100 01
> 00:1c:c4:81:2f:9e > 00:00:0c:07:ac:00, ethertype IPv4 (0x0800), length 84:
> 195.14.50.21.53 > 89.179.195.34.2357: 48025 ServFail 0/0/1 (42)
> 0x: 4500 0046 84a8 4011 c30e 3215
> 0x0010: 59b3 c322 0035 0935 0032 c7de bb99 8182
> 0x0020: 0001 0001 0377 0565 6d69
> 0x0030: 6c73 0363 6f6d 0100 0100 0029 1000
> 0x0040:
> 00:1c:c4:81:2f:9e > 00:00:0c:07:ac:00, ethertype IPv4 (0x0800), length 73:
> 195.14.50.21.53 > 89.179.195.34.2357: 22012 ServFail 0/0/0 (31)
> 0x: 4500 003b 84a9 4011 c30e 3215
> 0x0010: 59b3 c322 0035 0935 0027 3dbc 55fc 8182
> 0x0020: 0001 0377 0565 6d69
> 0x0030: 6c73 0363 6f6d 0100 01
> 00:1c:c4:81:2f:9e > 00:00:0c:07:ac:00, ethertype IPv4 (0x0800), length 69:
> 195.14.50.21.53 > 89.179.195.34.2357: 35869 ServFail 0/0/0 (27)
> 0x: 4500 0037 84ac 4011 c30e 3215
> 0x0010: 59b3 c322 0035 0935 0023 8291 8c1d 8182
> 0x0020: 0001 0565 6d69 6c73 0363
> 0x0030: 6f6d 0100 01
> 00:1a:a1:69:35:43 > 00:1c:c4:81:2f:9e, ethertype IPv4 (0x0800), length 73:
> 89.179.195.34.2357 > 195.14.50.21.53: 48025+ A? www.emils.com. (31)
> 0x: 4500 003b 3035 3811 4084 59b3 c322
> 0x0010: c30e 3215 0935 0035 0027 58a1 bb99 0100
> 0x0020: 0001 0377 0565 6d69
> 0x0030: 6c73 0363 6f6d 0100 01
> 00:1c:c4:81:2f:9e > 00:00:0c:07:ac:00, ethertype IPv4 (0x0800), length 73:
> 195.14.50.21.53 > 89.179.195.34.2357: 48025 ServFail 0/0/0 (31)
> 0x: 4500 003b 84ae 4011 c30e 3215
> 0x0010: 59b3 c322 0035 0935 0027 d81e bb99 8182
> 0x0020: 0001 0377 0565 6d69
> 0x0030: 6c73 0363 6f6d 0100 01
>
> tcpdump -netxi bge0 host 78.107.71.38
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on bge0, link-type EN10MB (Ethernet), capture size 96 bytes
> 00:1a:a1:69:35:43 > 00:1c:c4:81:2f:9e, ethertype IPv4 (0x0800), length 94:
> 78.107.71.38.37367 > 195.14.50.21.53: 38168+ A?
> nc-71-51-232-31.dhcp.embarqhsd.net. (52)
> 0x: 4500 0050 ae4f 4000 3b11 0699 4e6b 4726
> 0x0010: c30e 3215 91f7 0035 003c e6ca 9518 0100
> 0x0020: 0001 0f6e 632d 3731 2d35
> 0x0030: 312d 3233 322d 3331 0464 6863 7009 656d
> 0x0040: 6261 7271 6873 6403 6e65 7400 0001 0001
> 00:1a:a1:69:35:43 > 00:1c:c4:81:2f:9e, ethertype IPv4 (0x0800), length 89:
> 78.107.71.38.37368 > 195.14.50.21.53: 50276+ A?
> 166.156.122.89.bl.spamcop.net. (47)
> 0x: 4500 004b ae68 4000 3b11 0685 4e6b 4726
> 0x0010: c30e 3215 91f8 0035 0037 18d5 c464 0100
> 0x0020: 0001 0331 3636 0331 3536
> 0x0030: 0331 3232 0238 3902 626c 0773 7061 6d63
> 0x0040: 6f70 036e 6574 0100 01
>
> Add to pf.conf
> block quick from 89.179.195.34 - same, doesn't work.
>
> May be trouble in config?
> ___
> freebsd-pf@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "[EMAIL PROTECTED]"
___
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: FreeBSD 7.1-PRERELEASE Trouble
On Mon, Sep 08, 2008 at 05:45:44PM +0200, Jille wrote:
> Dmitry Rybin wrote:
> > PF doesn't block some IP
> >
> > === pf.conf ===
> >
> > ext_if="bge0"
> > table { 78.107.71.38 89.179.195.34 }
>
> Afaik you need to separate them with a comma (,)
This is incorrect. You can use a comma or a space, as the BNF grammar
in pf.conf specifies. Here's the grammar break-down, one step at a
time:
line = ( option | pf-rule | nat-rule | binat-rule | rdr-rule |
antispoof-rule | altq-rule | queue-rule | trans-anchors |
anchor-rule | anchor-close | load-anchor | table-rule | )
table-rule = "table" "<" string ">" [ tableopts-list ]
tableopts-list = tableopts-list tableopts | tableopts
tableopts = "persist" | "const" | "file" string |
"{" [ tableaddr-list ] "}"
tableaddr-list = tableaddr-list [ "," ] tableaddr-spec | tableaddr-spec
Note in tableaddr-list the string: [ "," ]. This means the comma is
optional between items within the braces.
--
| Jeremy Chadwickjdc at parodius.com |
| Parodius Networking http://www.parodius.com/ |
| UNIX Systems Administrator Mountain View, CA, USA |
| Making life hard for others since 1977. PGP: 4BD6C0CB |
___
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: FreeBSD 7.1-PRERELEASE Trouble
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Dmitry Rybin <[EMAIL PROTECTED]> wrote:
>
> PF doesn't block some IP
>
> === pf.conf ===
>
> ext_if="bge0"
> table { 78.107.71.38 89.179.195.34 }
>
> block quick from
> pass out
> pass in
> === pf.conf ===
>
> # pfctl -e -f /etc/pf.conf
>
> # tcpdump -netxi bge0 host 89.179.195.34
> 00:1a:a1:69:35:43 > 00:1c:c4:81:2f:9e, ethertype IPv4 (0x0800), length 69:
> 89.179.195.34.2357 > 195.14.50.21.53: 35869+ A? emils.com. (27)
> 0x: 4500 0037 3034 3811 4089 59b3 c322
> 0x0010: c30e 3215 0935 0035 0023 0314 8c1d 0100
> 0x0020: 0001 0565 6d69 6c73 0363
> 0x0030: 6f6d 0100 01
Even if PF causes the packet to be dropped, it will still show up on
your inbound interface. You cannot prevent the packet from being sent
to you unless you block it further upstream.
- --
David DeSimone == Network Admin == [EMAIL PROTECTED]
"I don't like spinach, and I'm glad I don't, because if I
liked it I'd eat it, and I just hate it." -- Clarence Darrow
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFIxWkXFSrKRjX5eCoRApOkAJ9q/Ndg9Wrcfnss//PcD1lePdCGVQCfRAja
5ltkyqIlojWZzzto7PQNRNI=
=c8Ig
-END PGP SIGNATURE-
This email message is intended for the use of the person to whom it has been
sent, and may contain information that is confidential or legally protected. If
you are not the intended recipient or have received this message in error, you
are not authorized to copy, distribute, or otherwise use this message or its
attachments. Please notify the sender immediately by return e-mail and
permanently delete this message and any attachments. Verio, Inc. makes no
warranty that this email is error or virus free. Thank you.
___
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: FreeBSD 7.1-PRERELEASE Trouble
On Mon, Sep 08, 2008 at 01:04:07PM -0500, David DeSimone wrote:
> Dmitry Rybin <[EMAIL PROTECTED]> wrote:
> >
> > PF doesn't block some IP
> >
> > === pf.conf ===
> >
> > ext_if="bge0"
> > table { 78.107.71.38 89.179.195.34 }
> >
> > block quick from
> > pass out
> > pass in
> > === pf.conf ===
> >
> > # pfctl -e -f /etc/pf.conf
> >
> > # tcpdump -netxi bge0 host 89.179.195.34
> > 00:1a:a1:69:35:43 > 00:1c:c4:81:2f:9e, ethertype IPv4 (0x0800), length 69:
> > 89.179.195.34.2357 > 195.14.50.21.53: 35869+ A? emils.com. (27)
> > 0x: 4500 0037 3034 3811 4089 59b3 c322
> > 0x0010: c30e 3215 0935 0035 0023 0314 8c1d 0100
> > 0x0020: 0001 0565 6d69 6c73 0363
> > 0x0030: 6f6d 0100 01
>
> Even if PF causes the packet to be dropped, it will still show up on
> your inbound interface. You cannot prevent the packet from being sent
> to you unless you block it further upstream.
I was going to reply with the same thing, but aborted -- his tcpdump
shows *bidirectional* traffic, both from the bad host and *to* to the
bad host. OP's server is replying to the packet which pf has supposedly
blocked.
This is why I think it's a state tracking thing and he might need
to use -k.
--
| Jeremy Chadwickjdc at parodius.com |
| Parodius Networking http://www.parodius.com/ |
| UNIX Systems Administrator Mountain View, CA, USA |
| Making life hard for others since 1977. PGP: 4BD6C0CB |
___
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: FreeBSD 7.1-PRERELEASE Trouble
On Tue, Sep 09, 2008 at 09:20:20AM +0400, Dmitry Rybin wrote: > === pf.conf === > ext_if="bge0" > > block in quick from > pass out > pass in > === pf.conf === > # pfctl -f > # pfctl -t dnsflood -Tadd 78.107.71.38 > # pfctl -t dnsflood -Tadd 89.179.195.34 > # pfctl -t dnsflood -Tshow > 78.107.71.38 > 89.179.195.34 > > and so on. > # pfctl -k 78.107.71.38 > killed 1 states from 1 sources and 0 destinations > [EMAIL PROTECTED] /opt/home/kirgudu]# tcpdump -ibge0 -p -n host 78.107.71.38 > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on bge0, link-type EN10MB (Ethernet), capture size 96 bytes > 09:12:37.260545 IP 78.107.71.38.46316 > 195.14.50.21.53: 21852+ TXT? > 170.225.6.117.bl.spamcop.net. (46) > 09:12:37.812533 IP 78.107.71.38.46317 > 195.14.50.21.53: 52423+ PTR? > 142.220.10.10.in-addr.arpa. (44) > 09:12:38.838395 IP 195.14.50.21.53 > 78.107.71.38.42859: 13664 ServFail > 0/0/0 (46) > 09:12:38.838420 IP 195.14.50.21.53 > 78.107.71.38.42859: 6698 ServFail 0/0/0 > (46) > 09:12:39.028347 IP 78.107.71.38.46318 > 195.14.50.21.53: 3221+ PTR? > 109.220.10.10.in-addr.arpa. (44) > 09:12:39.492471 IP 78.107.71.38.46319 > 195.14.50.21.53: 1887+ PTR? > 57.63.8.58.in-addr.arpa. (41) > > # pfctl -s state|grep 78.107.71.38 > all udp 195.14.50.21:53 -> 78.107.71.38:42859 MULTIPLE:MULTIPLE > > DNS service replying to the blocked host. > > # pfctl -s rules > block drop quick in on bge0 inet from to any > pass in all flags S/SA keep state > pass out all flags S/SA keep state Hmm, it appears that even with the "block" rule in place, and all previous state table entries flushed, the packet is somehow making it through. Does "pfctl -T show -t dnsflood -v" shows any hits for In/Block hits on the table entry for 78.107.71.38? (I doubt it, but I want to make sure). Only two ideas I have left: 1) Are you *absolutely sure* the packets are arriving on bge0 and not some other interface? 2) Is pf processing even enabled? pfctl -s info | head -1 Also, you removed the freebsd-pf mailing list from your response to me. I don't know why, so I've re-added it. If none of the above helps, then I'm out of ideas and David or Max will have to assist in figuring out the root cause. -- | Jeremy Chadwickjdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | ___ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"
