[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: VPN client cannot connect through OpenBSD router/firewall
jared r r spiegel wrote:
Why would I not see the dropped packets in my log file (pflog0).
in this case i think you would. i looked back at the original
pf.conf you posted that the other fellow replied to and the
'block all' didn't have the "$log_flg" in it (cute idea, btw)...
Thanks. What can I say? I'm lazy. :) Now I just have to create a
command-line argument for my lfw (load firwall) wrapper script that
checks the validity of the rules, dumps any current rules, and loads
the new rules. I'll add this script at the bottom of this message for
anyone who wants it.
is it possible that you weren't seeing them before, but added
the $log_flg to this pf.conf after the problem?
I looked and this is exactly what happened. I looked and I am seeing
items like this:
Jan 19 07:43:46.952091 rule 0/0(match): block in on xl1:
10.248.0.145.1211 > 255.255.255.255.1211: udp 95
Jan 19 07:43:57.109716 rule 0/0(match): block in on fxp0:
22.214.171.124.1847 > 126.96.36.199.1434: udp 376
Jan 19 07:44:51.013127 rule 14/0(match): block in on fxp0:
10.49.160.1.67 > 255.255.255.255.68: xid:0x85eca861 flags:0x8000 [|bootp]
BTW, I'm getting *tons* of these! Is it someone hammering my box
trying to find a weakness?
Should I be setting pflog0 as my loginterface instead of fxp0?
nope, 'loginterface' is for the interface pf collects
operational statistics on ( eg pfctl -si ). i believe
the interface name and number, pflog0, are hardcoded.
then pflogd(8) listens to pflog0 and redirects that
down into /var/log/pflog ( by default ).
Ahhhh cool. That's good. And, speaking of statistics, when I stop
my tcpdump (tcpdump -nettti pflog0), it shows:
265 packets received by filter
0 packets dropped by kernel
If I have set block-policy drop, shouldn't I be seeing these packets
dropped instead of blocked?
lfw - Load Firewall Rulesets script
# Load Firewall Rules (lfw):
# A program to check validity of
# a nat/firewall ruleset, flush
# all existing rules, and load
# the new, valid ruleset.
# Author: rvb
# Date : 12.23.2004
if [ "$#" -ne 1 ]
echo "Usage: $pgm_nm <file>"
echo "Note : <file> must conform to pf.conf rules"
echo " See man pf.conf for details"
if [ -e "$file" ]
echo "checking the rules in $file..."
sudo pfctl -nf $file
if [ $? -eq 0 ]
echo "flushing all existing rules..."
sudo pfctl -F all
echo "pfctl -nf $file was not successful!"
if [ $? -eq 0 ]
echo "loading the rules from $file"
sudo pfctl -f $file;
echo "ruleset loaded!"
echo "pfctl -f $file was not successful!";
echo "$file does not exist!"