pf block unwanted traffic

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

pf block unwanted traffic

Kapetanakis Giannis
Hi,

I saw this today on my firewall:

Nov 01 12:51:10.857175 rule def/(short) pass in on vlanxxx:
74.206.235.92.0 > xx.xx.xx.xx.0: FPE [bad hdr length] (DF)
Nov 01 12:51:12.724286 rule def/(short) pass in on vlanxxx:
74.206.235.92.0 > xx.xx.xx.xx.0: FPE 1137099714:1137099726(12) ack 0 win
6667 urg 0 (DF)
Nov 01 12:51:14.027193 rule def/(short) pass in on vlanxxx:
74.206.235.92.0 > xx.xx.xx.xx.0: SFR [bad hdr length] (DF)
Nov 01 12:51:15.692047 rule def/(short) pass in on vlanxxx:
74.206.235.92.0 > xx.xx.xx.xx.0: RPWE [bad hdr length] (DF)
Nov 01 12:51:16.121181 rule def/(short) pass in on vlanxxx:
74.206.235.92.0 > xx.xx.xx.xx.0: SFPW [bad hdr length] (DF)
Nov 01 12:51:17.962807 rule def/(short) pass in on vlanxxx:
74.206.235.92.0 > xx.xx.xx.xx.0: SE [bad hdr length] (DF)
Nov 01 12:51:21.934774 rule def/(short) pass in on vlanxxx:
74.206.235.92.0 > xx.xx.xx.xx.0: SFW [bad hdr length] (DF)
Nov 01 12:51:26.985783 rule def/(short) pass in on vlanxxx:
74.206.235.92.0 > xx.xx.xx.xx.0: SRPWE 1137099714:1137099730(16) win

The internal addresses are changing so it's something like a port scan...

I 've added first rule in pf
block drop quick from 74.206.235.92
block drop quick to 74.206.235.92

@0 block drop quick inet from 74.206.235.92 to any
   [ Evaluations: 36837     Packets: 2         Bytes: 96 States: 0     ]
   [ Inserted: uid 0 pid 12234 State Creations: 0     ]
@1 block drop quick inet from any to 74.206.235.92
   [ Evaluations: 36743     Packets: 0         Bytes: 0 States: 0     ]
   [ Inserted: uid 0 pid 12234 State Creations: 0     ]

apparently something is blocked, but also something is passed since I
still get these mesages
on my pflog.

pfctl -ss shows no state for 74.206.235.92

How can I block these? What is it exactly ?

regards,

Giannis

Reply | Threaded
Open this post in threaded view
|

Re: pf block unwanted traffic

Henning Brauer
* Kapetanakis Giannis <[hidden email]> [2012-11-01 13:57]:

> Nov 01 12:51:10.857175 rule def/(short) pass in on vlanxxx:
> 74.206.235.92.0 > xx.xx.xx.xx.0: FPE [bad hdr length] (DF)
> Nov 01 12:51:12.724286 rule def/(short) pass in on vlanxxx:
> 74.206.235.92.0 > xx.xx.xx.xx.0: FPE 1137099714:1137099726(12) ack 0
> win 6667 urg 0 (DF)
> Nov 01 12:51:14.027193 rule def/(short) pass in on vlanxxx:
> 74.206.235.92.0 > xx.xx.xx.xx.0: SFR [bad hdr length] (DF)
> Nov 01 12:51:15.692047 rule def/(short) pass in on vlanxxx:
> 74.206.235.92.0 > xx.xx.xx.xx.0: RPWE [bad hdr length] (DF)
> Nov 01 12:51:16.121181 rule def/(short) pass in on vlanxxx:
> 74.206.235.92.0 > xx.xx.xx.xx.0: SFPW [bad hdr length] (DF)
> Nov 01 12:51:17.962807 rule def/(short) pass in on vlanxxx:
> 74.206.235.92.0 > xx.xx.xx.xx.0: SE [bad hdr length] (DF)
> Nov 01 12:51:21.934774 rule def/(short) pass in on vlanxxx:
> 74.206.235.92.0 > xx.xx.xx.xx.0: SFW [bad hdr length] (DF)
> Nov 01 12:51:26.985783 rule def/(short) pass in on vlanxxx:
> 74.206.235.92.0 > xx.xx.xx.xx.0: SRPWE 1137099714:1137099730(16) win

> apparently something is blocked, but also something is passed since
> I still get these mesages
> on my pflog.

need to resort to guesswork since your report lacks so much, but it
looks like you are simply misdiagnosing. and I admit it isn't super
obvious. seeing the "bad hdr length", pf will block these. the rule
referred to then is the default rule. but we didn't get as far as rule
matching, so that is misleading you.

as said, this is entirely guessed.

--
Henning Brauer, [hidden email], [hidden email]
BS Web Services, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/

Reply | Threaded
Open this post in threaded view
|

Re: pf block unwanted traffic

Kapetanakis Giannis
On 19/11/12 14:47, Henning Brauer wrote:

> * Kapetanakis Giannis <[hidden email]> [2012-11-01 13:57]:
>
> Nov 01 12:51:12.724286 rule def/(short) pass in on vlanxxx:
> 74.206.235.92.0 > xx.xx.xx.xx.0: FPE 1137099714:1137099726(12) ack 0
> win 6667 urg 0 (DF)
> Nov 01 12:51:21.934774 rule def/(short) pass in on vlanxxx:
> 74.206.235.92.0 > xx.xx.xx.xx.0: SFW [bad hdr length] (DF)
> Nov 01 12:51:26.985783 rule def/(short) pass in on vlanxxx:
> 74.206.235.92.0 > xx.xx.xx.xx.0: SRPWE 1137099714:1137099730(16) win
>> apparently something is blocked, but also something is passed since
>> I still get these mesages
>> on my pflog.
> need to resort to guesswork since your report lacks so much, but it
> looks like you are simply misdiagnosing. and I admit it isn't super
> obvious. seeing the "bad hdr length", pf will block these.

What about the other lines?
rule def/(short) pass in on vlanxxx: 74.206.235.92.0 > xx.xx.xx.xx.0:
FPE 1137099714:1137099726(12) ack 0 win 6667 urg 0 (DF)
rule def/(short) pass in on vlanxxx: 74.206.235.92.0 > xx.xx.xx.xx.0:
SRPWE 1137099714:1137099730(16) win


>   the rule
> referred to then is the default rule. but we didn't get as far as rule
> matching, so that is misleading you.
>
> as said, this is entirely guessed.

What do you mean by default rule?

When I had these logs, the first rule was
block quick from 74.206.235.92

On the other hand, tcpdump on the inner interface showed no traffic
whatsoever from the offending IP,
so pf was indeed blocking the traffic.

Probably the only misleading here is the log. I've quite lost you and
i'm not really sure
a) why do i see these logs?
b) is the traffic is indeed blocked or do I need to put a more special
rule like
block quick from $offending_IP
c) you said we didn't get as afar as rule matching. That stands for "bad
hdr length" ?

thanx

G

Reply | Threaded
Open this post in threaded view
|

Re: pf block unwanted traffic

Kapetanakis Giannis
Right now I saw a similar case:

Nov 21 13:08:35.876814 rule def/(fragment) pass in on ext_if:
128.86.1.20.53 > xx.xx.xx.xx.36447: 34117*-[|domain] (frag 1942:1480@0+)
(DF)
Nov 21 13:08:35.876817 rule def/(fragment) pass in on ext_if:
128.86.1.20 > xx.xx.xx.xx: (frag 1942:337@1480) (DF)

These are apparently fragmented packets.

Are the allowed to get in or not? If yes then I still don't get rule def
(state maybe?)

G

ps.
@1 match in all scrub (no-df max-mss 1440)

Reply | Threaded
Open this post in threaded view
|

Re: pf block unwanted traffic

Stuart Henderson
In reply to this post by Kapetanakis Giannis
On 2012-11-21, Kapetanakis Giannis <[hidden email]> wrote:
> On 19/11/12 14:47, Henning Brauer wrote:
>>   the rule
>> referred to then is the default rule. but we didn't get as far as rule
>> matching, so that is misleading you.
>
> What do you mean by default rule?

PF has an implicit default rule, "pass all flags any no state".                                                  

I would recommend that the first filter rule is either just "block"
or "pass" (optionally with "log" etc) so that you can be sure there's
a state entry for all traffic which is passed by the firewall.
Otherwise you can get into trouble with window scaling (which is
the reason pf.conf pass rules all default to "keep state" now).

Reply | Threaded
Open this post in threaded view
|

Re: pf block unwanted traffic

Kapetanakis Giannis
On 21/11/12 15:20, Stuart Henderson wrote:

> On 2012-11-21, Kapetanakis Giannis <[hidden email]> wrote:
>> On 19/11/12 14:47, Henning Brauer wrote:
>>>    the rule
>>> referred to then is the default rule. but we didn't get as far as rule
>>> matching, so that is misleading you.
>> What do you mean by default rule?
> PF has an implicit default rule, "pass all flags any no state".
>
> I would recommend that the first filter rule is either just "block"
> or "pass" (optionally with "log" etc) so that you can be sure there's
> a state entry for all traffic which is passed by the firewall.
> Otherwise you can get into trouble with window scaling (which is
> the reason pf.conf pass rules all default to "keep state" now).
>

Ok I've added a "block" as a first rule, but how would that create a state?

If it was a pass then it would create a state, since it applies "keep
state" by default.

G

Reply | Threaded
Open this post in threaded view
|

Re: pf block unwanted traffic

Stuart Henderson
On 2012-11-21, Kapetanakis Giannis <[hidden email]> wrote:

> On 21/11/12 15:20, Stuart Henderson wrote:
>> On 2012-11-21, Kapetanakis Giannis <[hidden email]> wrote:
>>> On 19/11/12 14:47, Henning Brauer wrote:
>>>>    the rule
>>>> referred to then is the default rule. but we didn't get as far as rule
>>>> matching, so that is misleading you.
>>> What do you mean by default rule?
>> PF has an implicit default rule, "pass all flags any no state".
>>
>> I would recommend that the first filter rule is either just "block"
>> or "pass" (optionally with "log" etc) so that you can be sure there's
>> a state entry for all traffic which is passed by the firewall.
>> Otherwise you can get into trouble with window scaling (which is
>> the reason pf.conf pass rules all default to "keep state" now).
>>
>
> Ok I've added a "block" as a first rule, but how would that create a state?

It doesn't create a state, my wording was careful - emphasis added:

"so that you can be sure there's a state entry for all traffic
_which is passed_ by the firewall."

But my answer was just to your "what do you mean by default rule"
question - as Henning said, "but we didn't get as far as rule matching,
so that is misleading you."

Reply | Threaded
Open this post in threaded view
|

Re: pf block unwanted traffic

David Diggles-2
In reply to this post by Henning Brauer
Hello List,

I just got a similar event in my pflog.

Jan 16 16:08:02.435283 rule def/(short) pass in on pppoe0: 50.112.59.10.0 > 59.167.212.41.0: SFRWE [bad hdr length]

I don't know what this is, or why it is passed.

Can someone explain or attempt a guess at what this is?

The intention of my pf.conf is to block all incoming
by default on pppoe0.

Am I doing something really stupid here?

/etc/hostname.carp1
inet 172.75.100.1 255.255.255.0 172.25.101.255 balancing ip-stealth carpnodes 1:0,2:100 pass secret1
group dmz

/etc/hostname.carp2
inet 172.25.100.1 255.255.255.0 172.25.100.255 balancing ip-stealth carpnodes 4:0,5:100 pass secret2
group lan

/etc/hostname.em0
up mtu 1508

/etc/hostname.em1
inet 172.75.100.4 255.255.255.0
group dmz

/etc/hostname.em2
inet 172.25.100.4 255.255.255.0
group lan

/etc/hostname.pppoe0
inet 59.167.212.41 255.255.255.255 NONE mtu 1500 \
pppoedev em0 authproto pap \
authname pppoeuser authkey pppoepass up
dest 0.0.0.1
!/sbin/route add default -ifp pppoe0 0.0.0.1
!/sbin/route add -inet6 default -ifp pppoe0 ::1

/etc/pf.conf
#-----------------------------------------------------------------------
# defaults
#-----------------------------------------------------------------------
table <rfc1918> const { 192.168/16 172.16/12 10/8 }
table <dmz> const { dmz:network }
table <lan> const { lan:network }
set loginterface egress
set skip on lo
block in quick on egress from <rfc1918>
antispoof log quick for { pppoe0 em0 }
pass
block quick on egress proto carp
block quick on { egress dmz } inet6
block in log on { egress dmz }
#-----------------------------------------------------------------------
# ack priority
#-----------------------------------------------------------------------
match on egress inet proto tcp prio(1,7)
#-----------------------------------------------------------------------
# sand blasting
#-----------------------------------------------------------------------
match in on egress scrub (reassemble tcp)
#match in on { egress dmz } scrub (reassemble tcp)
#match on egress scrub (max-mss 1440)                                            
#-----------------------------------------------------------------------
# translation and redirections
#-----------------------------------------------------------------------
match out on egress nat-to (egress)
match in on { lan dmz } inet proto tcp to ! bincrow.net \
    port www rdr-to localhost port 8080
match in on { lan dmz } inet proto tcp to bincrow.net \
    port www rdr-to localhost
match in on { lan dmz } inet to bincrow.net rdr-to localhost
#-----------------------------------------------------------------------
# incoming port forwards
#-----------------------------------------------------------------------
# torrent
pass in on egress inet proto tcp to egress port 6881 rdr-to meile \
    modulate state
pass in on egress inet proto udp to egress port 6881 rdr-to meile \
    keep state
#-----------------------------------------------------------------------
# allow anyone to this
#-----------------------------------------------------------------------
pass in on egress inet proto tcp from any to egress port www \
    modulate state
#-----------------------------------------------------------------------
# dns
#-----------------------------------------------------------------------
table <dns-white> persist file "/etc/pf/dns-white"
pass in on egress inet proto { tcp udp } from \
    <dns-white> to egress port domain
pass in on dmz inet proto { tcp udp } from \
    <dmz> to dmz port domain
#-----------------------------------------------------------------------
# ntp
#-----------------------------------------------------------------------
pass in on dmz inet proto { tcp udp } from <dmz> \
    to dmz port { daytime time ntp }
#-----------------------------------------------------------------------
# ssh - whitelist, and rate limit overflows into blacklist
#-----------------------------------------------------------------------
table <ssh-black> persist file "/etc/pf/ssh-black"
table <ssh-white> persist file "/etc/pf/ssh-white"
pass in log on { egress dmz } inet proto tcp from <ssh-white> to \
    port ssh rdr-to localhost
pass in log on { egress dmz } inet proto tcp from !<ssh-black> to \
    port ssh rdr-to localhost keep state \
    (max-src-conn-rate 1/30, overload <ssh-black> flush)
#-----------------------------------------------------------------------
# imaps - whitelist, and rate limit overflows into blacklist
#-----------------------------------------------------------------------
table <imaps-black> persist file "/etc/pf/imaps-black"
table <imaps-white> persist file "/etc/pf/imaps-white"
pass in log on { egress dmz } inet proto tcp from <imaps-white> to \
    port imaps rdr-to localhost
pass in log on { egress dmz } inet proto tcp from !<imaps-black> to \
    port imaps rdr-to localhost keep state \
    (max-src-conn-rate 2/1, overload <imaps-black> flush)
#-----------------------------------------------------------------------
# squid - whitelist
#-----------------------------------------------------------------------
table <squid-white> persist file "/etc/pf/squid-white"
pass in on egress inet proto tcp from <squid-white> to egress port 8080
#-----------------------------------------------------------------------
# allow these to everything
#-----------------------------------------------------------------------
table <authpf_users> persist
table <all-egress> persist file "/etc/pf/all-egress"
pass in on egress from { <authpf_users> <all-egress> } to egress
table <all-dmz> persist file "/etc/pf/all-dmz"
pass in on dmz from { <authpf_users> <all-dmz> } to any
#-----------------------------------------------------------------------
# smtp - spamd gatekeeps sendmail
#-----------------------------------------------------------------------
table <nospamd> persist file "/etc/mail/nospamd"
table <spamd-white> persist
pass in on egress proto tcp from any to egress port smtp \
    rdr-to localhost port spamd
pass in log on egress proto tcp from { <nospamd> <spamd-white> } \
    to egress port smtp modulate state
pass out log on egress proto tcp to any port smtp modulate state
#-----------------------------------------------------------------------
# smtp - direct to sendmail
#-----------------------------------------------------------------------
#pass in log on egress proto tcp from any \
#    to egress port smtp modulate state
#pass out log on egress proto tcp to any port smtp modulate state

On Mon, Nov 19, 2012 at 01:47:09PM +0100, Henning Brauer wrote:

> * Kapetanakis Giannis <[hidden email]> [2012-11-01 13:57]:
> > Nov 01 12:51:10.857175 rule def/(short) pass in on vlanxxx:
> > 74.206.235.92.0 > xx.xx.xx.xx.0: FPE [bad hdr length] (DF)
> > Nov 01 12:51:12.724286 rule def/(short) pass in on vlanxxx:
> > 74.206.235.92.0 > xx.xx.xx.xx.0: FPE 1137099714:1137099726(12) ack 0
> > win 6667 urg 0 (DF)
> > Nov 01 12:51:14.027193 rule def/(short) pass in on vlanxxx:
> > 74.206.235.92.0 > xx.xx.xx.xx.0: SFR [bad hdr length] (DF)
> > Nov 01 12:51:15.692047 rule def/(short) pass in on vlanxxx:
> > 74.206.235.92.0 > xx.xx.xx.xx.0: RPWE [bad hdr length] (DF)
> > Nov 01 12:51:16.121181 rule def/(short) pass in on vlanxxx:
> > 74.206.235.92.0 > xx.xx.xx.xx.0: SFPW [bad hdr length] (DF)
> > Nov 01 12:51:17.962807 rule def/(short) pass in on vlanxxx:
> > 74.206.235.92.0 > xx.xx.xx.xx.0: SE [bad hdr length] (DF)
> > Nov 01 12:51:21.934774 rule def/(short) pass in on vlanxxx:
> > 74.206.235.92.0 > xx.xx.xx.xx.0: SFW [bad hdr length] (DF)
> > Nov 01 12:51:26.985783 rule def/(short) pass in on vlanxxx:
> > 74.206.235.92.0 > xx.xx.xx.xx.0: SRPWE 1137099714:1137099730(16) win
>
> > apparently something is blocked, but also something is passed since
> > I still get these mesages
> > on my pflog.
>
> need to resort to guesswork since your report lacks so much, but it
> looks like you are simply misdiagnosing. and I admit it isn't super
> obvious. seeing the "bad hdr length", pf will block these. the rule
> referred to then is the default rule. but we didn't get as far as rule
> matching, so that is misleading you.
>
> as said, this is entirely guessed.
>
> --
> Henning Brauer, [hidden email], [hidden email]
> BS Web Services, http://bsws.de, Full-Service ISP
> Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
> Henning Brauer Consulting, http://henningbrauer.com/

Reply | Threaded
Open this post in threaded view
|

Re: pf block unwanted traffic

Henning Brauer
it isn't passed, it is blocked.
not by a rule but by pf itself long before since the header length is
invalid. and since there is no rule to refer to it refers to the
default rule.

* David Diggles <[hidden email]> [2013-01-16 08:43]:

> Hello List,
>
> I just got a similar event in my pflog.
>
> Jan 16 16:08:02.435283 rule def/(short) pass in on pppoe0: 50.112.59.10.0 > 59.167.212.41.0: SFRWE [bad hdr length]
>
> I don't know what this is, or why it is passed.
>
> Can someone explain or attempt a guess at what this is?
>
> The intention of my pf.conf is to block all incoming
> by default on pppoe0.
>
> Am I doing something really stupid here?
>
> /etc/hostname.carp1
> inet 172.75.100.1 255.255.255.0 172.25.101.255 balancing ip-stealth carpnodes 1:0,2:100 pass secret1
> group dmz
>
> /etc/hostname.carp2
> inet 172.25.100.1 255.255.255.0 172.25.100.255 balancing ip-stealth carpnodes 4:0,5:100 pass secret2
> group lan
>
> /etc/hostname.em0
> up mtu 1508
>
> /etc/hostname.em1
> inet 172.75.100.4 255.255.255.0
> group dmz
>
> /etc/hostname.em2
> inet 172.25.100.4 255.255.255.0
> group lan
>
> /etc/hostname.pppoe0
> inet 59.167.212.41 255.255.255.255 NONE mtu 1500 \
> pppoedev em0 authproto pap \
> authname pppoeuser authkey pppoepass up
> dest 0.0.0.1
> !/sbin/route add default -ifp pppoe0 0.0.0.1
> !/sbin/route add -inet6 default -ifp pppoe0 ::1
>
> /etc/pf.conf
> #-----------------------------------------------------------------------
> # defaults
> #-----------------------------------------------------------------------
> table <rfc1918> const { 192.168/16 172.16/12 10/8 }
> table <dmz> const { dmz:network }
> table <lan> const { lan:network }
> set loginterface egress
> set skip on lo
> block in quick on egress from <rfc1918>
> antispoof log quick for { pppoe0 em0 }
> pass
> block quick on egress proto carp
> block quick on { egress dmz } inet6
> block in log on { egress dmz }
> #-----------------------------------------------------------------------
> # ack priority
> #-----------------------------------------------------------------------
> match on egress inet proto tcp prio(1,7)
> #-----------------------------------------------------------------------
> # sand blasting
> #-----------------------------------------------------------------------
> match in on egress scrub (reassemble tcp)
> #match in on { egress dmz } scrub (reassemble tcp)
> #match on egress scrub (max-mss 1440)                                            
> #-----------------------------------------------------------------------
> # translation and redirections
> #-----------------------------------------------------------------------
> match out on egress nat-to (egress)
> match in on { lan dmz } inet proto tcp to ! bincrow.net \
>     port www rdr-to localhost port 8080
> match in on { lan dmz } inet proto tcp to bincrow.net \
>     port www rdr-to localhost
> match in on { lan dmz } inet to bincrow.net rdr-to localhost
> #-----------------------------------------------------------------------
> # incoming port forwards
> #-----------------------------------------------------------------------
> # torrent
> pass in on egress inet proto tcp to egress port 6881 rdr-to meile \
>     modulate state
> pass in on egress inet proto udp to egress port 6881 rdr-to meile \
>     keep state
> #-----------------------------------------------------------------------
> # allow anyone to this
> #-----------------------------------------------------------------------
> pass in on egress inet proto tcp from any to egress port www \
>     modulate state
> #-----------------------------------------------------------------------
> # dns
> #-----------------------------------------------------------------------
> table <dns-white> persist file "/etc/pf/dns-white"
> pass in on egress inet proto { tcp udp } from \
>     <dns-white> to egress port domain
> pass in on dmz inet proto { tcp udp } from \
>     <dmz> to dmz port domain
> #-----------------------------------------------------------------------
> # ntp
> #-----------------------------------------------------------------------
> pass in on dmz inet proto { tcp udp } from <dmz> \
>     to dmz port { daytime time ntp }
> #-----------------------------------------------------------------------
> # ssh - whitelist, and rate limit overflows into blacklist
> #-----------------------------------------------------------------------
> table <ssh-black> persist file "/etc/pf/ssh-black"
> table <ssh-white> persist file "/etc/pf/ssh-white"
> pass in log on { egress dmz } inet proto tcp from <ssh-white> to \
>     port ssh rdr-to localhost
> pass in log on { egress dmz } inet proto tcp from !<ssh-black> to \
>     port ssh rdr-to localhost keep state \
>     (max-src-conn-rate 1/30, overload <ssh-black> flush)
> #-----------------------------------------------------------------------
> # imaps - whitelist, and rate limit overflows into blacklist
> #-----------------------------------------------------------------------
> table <imaps-black> persist file "/etc/pf/imaps-black"
> table <imaps-white> persist file "/etc/pf/imaps-white"
> pass in log on { egress dmz } inet proto tcp from <imaps-white> to \
>     port imaps rdr-to localhost
> pass in log on { egress dmz } inet proto tcp from !<imaps-black> to \
>     port imaps rdr-to localhost keep state \
>     (max-src-conn-rate 2/1, overload <imaps-black> flush)
> #-----------------------------------------------------------------------
> # squid - whitelist
> #-----------------------------------------------------------------------
> table <squid-white> persist file "/etc/pf/squid-white"
> pass in on egress inet proto tcp from <squid-white> to egress port 8080
> #-----------------------------------------------------------------------
> # allow these to everything
> #-----------------------------------------------------------------------
> table <authpf_users> persist
> table <all-egress> persist file "/etc/pf/all-egress"
> pass in on egress from { <authpf_users> <all-egress> } to egress
> table <all-dmz> persist file "/etc/pf/all-dmz"
> pass in on dmz from { <authpf_users> <all-dmz> } to any
> #-----------------------------------------------------------------------
> # smtp - spamd gatekeeps sendmail
> #-----------------------------------------------------------------------
> table <nospamd> persist file "/etc/mail/nospamd"
> table <spamd-white> persist
> pass in on egress proto tcp from any to egress port smtp \
>     rdr-to localhost port spamd
> pass in log on egress proto tcp from { <nospamd> <spamd-white> } \
>     to egress port smtp modulate state
> pass out log on egress proto tcp to any port smtp modulate state
> #-----------------------------------------------------------------------
> # smtp - direct to sendmail
> #-----------------------------------------------------------------------
> #pass in log on egress proto tcp from any \
> #    to egress port smtp modulate state
> #pass out log on egress proto tcp to any port smtp modulate state
>
> On Mon, Nov 19, 2012 at 01:47:09PM +0100, Henning Brauer wrote:
> > * Kapetanakis Giannis <[hidden email]> [2012-11-01 13:57]:
> > > Nov 01 12:51:10.857175 rule def/(short) pass in on vlanxxx:
> > > 74.206.235.92.0 > xx.xx.xx.xx.0: FPE [bad hdr length] (DF)
> > > Nov 01 12:51:12.724286 rule def/(short) pass in on vlanxxx:
> > > 74.206.235.92.0 > xx.xx.xx.xx.0: FPE 1137099714:1137099726(12) ack 0
> > > win 6667 urg 0 (DF)
> > > Nov 01 12:51:14.027193 rule def/(short) pass in on vlanxxx:
> > > 74.206.235.92.0 > xx.xx.xx.xx.0: SFR [bad hdr length] (DF)
> > > Nov 01 12:51:15.692047 rule def/(short) pass in on vlanxxx:
> > > 74.206.235.92.0 > xx.xx.xx.xx.0: RPWE [bad hdr length] (DF)
> > > Nov 01 12:51:16.121181 rule def/(short) pass in on vlanxxx:
> > > 74.206.235.92.0 > xx.xx.xx.xx.0: SFPW [bad hdr length] (DF)
> > > Nov 01 12:51:17.962807 rule def/(short) pass in on vlanxxx:
> > > 74.206.235.92.0 > xx.xx.xx.xx.0: SE [bad hdr length] (DF)
> > > Nov 01 12:51:21.934774 rule def/(short) pass in on vlanxxx:
> > > 74.206.235.92.0 > xx.xx.xx.xx.0: SFW [bad hdr length] (DF)
> > > Nov 01 12:51:26.985783 rule def/(short) pass in on vlanxxx:
> > > 74.206.235.92.0 > xx.xx.xx.xx.0: SRPWE 1137099714:1137099730(16) win
> >
> > > apparently something is blocked, but also something is passed since
> > > I still get these mesages
> > > on my pflog.
> >
> > need to resort to guesswork since your report lacks so much, but it
> > looks like you are simply misdiagnosing. and I admit it isn't super
> > obvious. seeing the "bad hdr length", pf will block these. the rule
> > referred to then is the default rule. but we didn't get as far as rule
> > matching, so that is misleading you.
> >
> > as said, this is entirely guessed.
> >
> > --
> > Henning Brauer, [hidden email], [hidden email]
> > BS Web Services, http://bsws.de, Full-Service ISP
> > Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
> > Henning Brauer Consulting, http://henningbrauer.com/
>

--
Henning Brauer, [hidden email], [hidden email]
BS Web Services, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/