This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

packets slipping past explicit PF rule?

07:29:56 Default DROP TCP 222.93.240.134 : 4118 → [Our Public IP] : 80 [SYN] len=48 ttl=116 tos=0x00 srcmac=00:00:00:00:00:00 dstmac=00:08:02:a4:99:5f

I have a group "Chinese Hackers" that includes 222.93.240.0/22 and a PF rule 'Chinese Hackers → Any → Any : Drop'.

99% of such packets are indeed dropped by my rule. Any thoughts about how the packet above could have slithered past my PF rule before being default dropped?

Cheers - Bob

This thread was automatically locked due to age.

0 BarryG over 15 years ago

I wonder why the source mac is 00:00:00:00:00:00.

Barry
Cancel
Vote Up 0 Vote Down

Cancel
0 Ölm over 15 years ago
07:29:56 Default DROP TCP 222.93.240.134 : 4118 → [Our Public IP] : 80 [SYN] len=48 ttl=116 tos=0x00 srcmac=00:00:00:00:00:00 dstmac=00:08:02:a4:99:5f

Cheers - Bob

Bob, the log line you submitted, from where is it? it doesn´t seem to be from a log inside the ASG. Is it created by a different host in your network? where is this host located?
Cancel
Vote Up 0 Vote Down

Cancel

0 BAlfson over 15 years ago

This was in the packet filter live log earlier today. Here's the line from the PF log:

2009:10:09-07:29:56 post ulogd[3079]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" seq="0" initf="eth1" outitf="unknown" dstmac="00:08:02:a4:99:5f" srcmac="00:00:00:00:00:00" srcip="222.93.240.134" dstip="[Our Public IP]" proto="6" length="48" tos="0x00" prec="0x00" ttl="116" srcport="4118" dstport="80" tcpflags="SYN"

Cheers - Bob

0 Ölm over 15 years ago in reply to BAlfson

Bob, can you make some detasiled screenshoots of the PF rule which you think should match before?
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 15 years ago

Here you go!

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel
0 Ölm over 15 years ago in reply to BAlfson

Here you go!

Cheers - Bob

The pf rule is missing - image 3 shows the same as image 2 .

And can you please make screenshoots of th detail view of the two network definitions. Thx
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 15 years ago in reply to Ölm

Jetzt ist alles in Ordnung...

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel
0 Ölm over 15 years ago in reply to BAlfson

Cheers - Bob[/QUOTE]

Jetzt ist alles in Ordnung...

Cheers - Bob

Not completely :-)

>>And can you please make screenshoots of th detail view of the two network definitions. Thx
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 15 years ago in reply to Ölm

You were too quick. I saw your request for the detail after I first made that last post.
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 15 years ago

I think it's time for me to move this over to the 7.500 beta thread as a [BUG].
Cancel
Vote Up 0 Vote Down

Cancel