block log quick on xl0-failure

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

block log quick on xl0-failure

Erling Westenvik
Dear [hidden email],
I came back to my office today, surprised to see a new mail in my inbox. The
reason I was suprised, or actually - perplexed, was that I activated the
below rule in the pf.conf file yesterday morning, before going for a
business trip from which I returned this evening.

  block log quick all on xl0

The rule is the first pass/block-rule, only prefixed by tables, macros and
several nat and rdr-rules. In other words, there should be no way for pf to
quick-pass any traffic through xl0, but this is exactly and undeniable what
has happened!? The log shows a lot of traffic that was blocked during the 36
hours the rule was effective, but somehow, (at least) the mail mentioned
above was downloaded.

Since I'm doing development on the LAN-servers, I cannot block internal
traffic. Hence the rule above so that I'm able to block all traffic to the
internet without having to physically unplug the SHDSL-cable.

I thought this might be of interest for the OpenBSD-team. Unfortunately I'm
a novice on almost all aspects of OpenBSD and you would have to tell me
spesifically what to include should you want to respond to this inquiry.

--

OpenBSD 3.7/pf is installed on a dedicated firewall-machine.
The PC hosting the mail client in concern, is a Win2k Pro-PC on the LAN,
using Outlook 2003.



Med vennlig hilsen/Kind regards
Erling Westenvik
Oddsomatic AS
+47 45 00 57 94
[hidden email]