[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

explanation of blocked packets



Why are the following packets being blocked?  I know that I have flags
S/SA modulate state, and that F or FP do not match S/SA, but does that
matter since its in state?
I have included my pf.conf
# tcpdump -e -ttt -n -i pflog0 "port 25"
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: listening on pflog0
Mar 30 21:44:04.489217 rule 0/0(match): block out on em0:
xxx.xxx.xxx.xxx.25 > 60.176.206.39.1832: F 29036457
07:2903645707(0) ack 543745993 win 17424 (DF)
Mar 30 21:44:09.139222 rule 0/0(match): block out on em0:
xxx.xxx.xxx.xxx.25 > 202.160.44.134.4286: FP 3334620421:3334620463(42) ack
2994736227 win 17520 (DF)
Mar 30 21:44:10.729224 rule 0/0(match): block out on em0:
xxx.xxx.xxx.xxx.25 > 200.86.148.178.2277: FP 2193168536:2193168609(73) ack
1328265101 win 17520 (DF)
Mar 30 21:44:18.919226 rule 0/0(match): block out on em0:
xxx.xxx.xxx.xxx.25 > 61.173.19.216.1985: FP 3883286478:3883286510(32) ack
2967094553 win 17680 (DF)
Mar 30 21:44:19.209218 rule 0/0(match): block out on em0:
xxx.xxx.xxx.xxx.25 > 222.65.106.103.4885: F 2361474561:2361474561(0) ack
1538593817 win 17680 (DF)
Mar 30 21:44:19.529218 rule 0/0(match): block out on em0:
xxx.xxx.xxx.xxx.25 > 218.80.8.138.4170: F 2750707851:2750707851(0) ack
2125304340 win 17680 (DF)
Mar 30 21:44:22.389222 rule 0/0(match): block out on em0:
xxx.xxx.xxx.xxx.25 > 61.105.46.116.2522: FP 2886292722:2886292764(42) ack
530849844 win 17520 (DF)
Mar 30 21:44:23.649227 rule 0/0(match): block out on em0:
xxx.xxx.xxx.xxx.25 > 218.80.8.138.1602: FP 4105006546:4105006588(42) ack
2092426987 win 17680
pf.conf
-------
# macros
ext_if="em0"
tcp_ports = "smtp"
udp_ports = "33434 >< 33524"
# tables
table <badhosts> persist
# options
set require-order yes
set block-policy drop
set fingerprints "/etc/pf.os"
set loginterface $ext_if
set optimization normal
set skip on lo0
# scrub
scrub    on $ext_if reassemble tcp random-id
# rules
block log-all all
antispoof quick for { $ext_if }
block in quick on $ext_if inet from <badhosts> to $ext_if
pass in quick on $ext_if inet proto tcp from any to $ext_if port {
$tcp_ports } flags S/SA modulate state
pass in quick on $ext_if inet proto udp from any to $ext_if port {
$udp_ports } keep state
pass in quick on $ext_if inet proto icmp from any to $ext_if icmp-type 8
code 0 keep state
pass out quick on $ext_if inet proto tcp from $ext_if to any flags S/SA
modulate state
pass out quick on $ext_if inet proto { udp, icmp } from $ext_if to any
keep state