This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

packets slipping past explicit PF rule?

07:29:56 Default DROP TCP 222.93.240.134 : 4118 → [Our Public IP] : 80 [SYN] len=48 ttl=116 tos=0x00 srcmac=00:00:00:00:00:00 dstmac=00:08:02:a4:99:5f

I have a group "Chinese Hackers" that includes 222.93.240.0/22 and a PF rule 'Chinese Hackers → Any → Any : Drop'.

99% of such packets are indeed dropped by my rule. Any thoughts about how the packet above could have slithered past my PF rule before being default dropped?

Cheers - Bob

This thread was automatically locked due to age.

Parents

0 BAlfson over 15 years ago

This was in the packet filter live log earlier today. Here's the line from the PF log:

2009:10:09-07:29:56 post ulogd[3079]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" seq="0" initf="eth1" outitf="unknown" dstmac="00:08:02:a4:99:5f" srcmac="00:00:00:00:00:00" srcip="222.93.240.134" dstip="[Our Public IP]" proto="6" length="48" tos="0x00" prec="0x00" ttl="116" srcport="4118" dstport="80" tcpflags="SYN"

Cheers - Bob

Reply

0 BAlfson over 15 years ago

This was in the packet filter live log earlier today. Here's the line from the PF log:

2009:10:09-07:29:56 post ulogd[3079]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" seq="0" initf="eth1" outitf="unknown" dstmac="00:08:02:a4:99:5f" srcmac="00:00:00:00:00:00" srcip="222.93.240.134" dstip="[Our Public IP]" proto="6" length="48" tos="0x00" prec="0x00" ttl="116" srcport="4118" dstport="80" tcpflags="SYN"

Cheers - Bob

Children

0 Ölm over 15 years ago in reply to BAlfson

Bob, can you make some detasiled screenshoots of the PF rule which you think should match before?
Cancel
Vote Up 0 Vote Down

Cancel