[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: tcpdump and rule -1/0



It looks to me like I just needed to flush all the rules and start over.  My rules are being parsed ok now.  I do have one other question though.  Why won’t a rule like the following match?

 

pass in quick log-all on vlan6 inet proto tcp  from 172.16.8.71 to 128.252.21.6 port 135  flags S/SA keep state

 

I know that 128.252.21.6 resides on vlan6. I can see that traffic in a tcpdump –n –e –ttt –I pflog0 net 128.252.21.6 port 135.  However this rule will not match anything until I remove the “on vlan6”.  Then it works fine.  If I pull out the “on vlan6” and change “keep state” to “modulate state” the rule will die too.

I am testing with telnet 128.252.21.6 135 and I am using OpenBSD 3.3 stable.

 

 

Thanks again,

 

 

Andrew Eaton

 

-----Original Message-----
From: Eaton, Andy
Sent: Thursday, September 11, 2003 5:38 PM
To: '[email protected]'
Subject: tcpdump and rule -1/0

 

Hello all,

 

I am having a problem with filtering on a vlan aware bridge.  I am wondering if anyone has seen a tcpdump that looks like the following and what it means.  Particularly the part about the rule -1/0(match).

 

Sep 11 17:35:33.988497 rule -1/0(match): pass in on vlan16: 64.236.34.72.80 > 172.16.0.36.3114: . 63809:64321(512) ack 1 win 4096

Sep 11 17:35:33.988501 rule -1/0(match): pass out on vlan17: 64.236.34.72.80 > 172.16.0.36.3114: . 63809:64321(512) ack 1 win 4096

Sep 11 17:35:33.989717 rule -1/0(match): pass in on vlan17: 172.16.0.36.3114 > 64.236.34.72.80: . ack 64321 win 0 (DF)

Sep 11 17:35:33.989720 rule -1/0(match): pass out on vlan16: 172.16.0.36.3114 > 64.236.34.72.80: . ack 64321 win 0 (DF)

 

I have spent a lot of time debugging this and the rules are not being parsed right.  I thought I might start here.

 

 

Thanks in advance,

 

 

Andrew Eaton