[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Very Annoying problem... blocks everything...



Ok... I said screw it and completly re-did the config.  I've got most of it
working, but I'm still showing just a few weird things that's getting
blocked now...
6 is my block in, 7 is my block out.
All of the other DNS is working just fine...  I just see port 53 in here a
couple of times...
============================
07:23:24.345466 rule 6/0(match): block in on dc1: 65.172.62.58.3973 >
65.31.108.206.3379:  udp 12
07:23:24.502276 rule 6/0(match): block in on dc1: 65.172.62.140.1214 >
65.168.173.82.2805:  udp 12
07:23:24.783620 rule 6/0(match): block in on dc1: 65.172.62.152.1024 >
198.77.116.8.53:  15534+ A? KRLK.direcpc.com. (46)
07:23:25.354632 rule 6/0(match): block in on dc1: 65.172.62.58.3973 >
65.25.23.239.1873:  udp 12
07:23:25.404610 rule 7/0(match): block out on dc0: 213.67.113.237.3342 >
65.172.61.201.6346: S 3848218851:3848218851(0) win 16384 <mss
1460,nop,nop,sackOK> (DF)
07:23:25.413441 rule 6/0(match): block in on dc1: 65.172.62.140.1214 >
134.129.63.205.2672:  udp 12
07:23:26.105551 rule 6/0(match): block in on dc1: 65.172.62.58.3777 >
62.195.38.112.2064: S 2594810045:2594810045(0) win 8760 <mss
1460,nop,nop,sackOK> (DF)
07:23:26.282313 rule 6/0(match): block in on dc1: 65.172.62.152.1024 >
198.77.116.8.53:  15534+ A? KRLK.direcpc.com. (46)
07:23:26.365464 rule 6/0(match): block in on dc1: 65.172.62.58.3973 >
65.27.244.188.1261:  udp 12
07:23:26.522323 rule 6/0(match): block in on dc1: 65.172.62.140.1214 >
65.166.158.173.2239:  udp 12
07:23:27.374891 rule 6/0(match): block in on dc1: 65.172.62.58.3973 >
65.30.166.133.2571:  udp 12
07:23:27.482349 rule 6/0(match): block in on dc1: 65.172.62.140.1214 >
65.31.25.21.2886:  udp 12
07:23:27.553453 rule 6/0(match): block in on dc1: 65.172.62.134.1709 >
172.145.107.136.3014: P 451548289:451548691(402) ack 14364311 win 9112 (DF)
07:23:28.374805 rule 6/0(match): block in on dc1: 65.172.62.58.3973 >
65.35.72.29.1519:  udp 12
07:23:28.513473 rule 6/0(match): block in on dc1: 65.172.62.140.1214 >
65.171.14.29.1795:  udp 12
07:23:28.602579 rule 6/0(match): block in on dc1: 65.172.62.134.1706 >
207.69.113.152.3607: P 450659155:450659527(372) ack 852793283 win 9112 (DF)
07:23:28.793476 rule 6/0(match): block in on dc1: 65.172.62.147.3086 >
205.188.179.233.5190: S 3584173258:3584173258(0) win 16384 <mss
1460,nop,nop,sackOK> (DF)
07:23:29.042444 rule 6/0(match): block in on dc1: 65.172.62.145.1145 >
64.12.161.153.5190: S 36704427:36704427(0) win 8192 <mss 536,nop,nop,sackOK>
(DF)
07:23:29.365514 rule 6/0(match): block in on dc1: 65.172.62.58.3973 >
65.35.65.139.2063:  udp 12
07:23:29.453323 rule 6/0(match): block in on dc1: 65.172.62.140.1214 >
216.98.72.126.1826:  udp 12
==================================
-----Original Message-----
From: owner-pf@benzedrine.cx [mailto:owner-pf@benzedrine.cx]On Behalf Of
Jason Dixon
Sent: Monday, December 16, 2002 9:52 PM
To: PF Mailing List
Subject: RE: Very Annoying problem... blocks everything...
On Mon, 2002-12-16 at 22:46, Shawn Mitchell wrote:
> on the "tcpdump -nettti pflog0" command, should everything match the last
> two rules, which are:
>
> pass in log quick inet from any to any
> pass out log quick inet from any to any
No.  You have a gazillion other "quick" rules in front of these.  The
first one that matches is going to force the action.  That's why "quick"
should be used very conservatively.
Otherwise, last match wins.
> They were block, but I changed them to pass so I could better see what's
> going on with live traffic...
Don't start changing your rules without monitoring your traffic.  What
kind of logged traffic are you seeing?  We can't help you if you don't
work with us.
-J.