From nobody Mon Feb 27 12:59:16 2023 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4PQLDY0mvRz3v5QJ for ; Mon, 27 Feb 2023 12:59:25 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [IPv6:2607:f3e0:0:1::12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smarthost1.sentex.ca", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4PQLDX1R3mz4NZb for ; Mon, 27 Feb 2023 12:59:24 +0000 (UTC) (envelope-from mike@sentex.net) Authentication-Results: mx1.freebsd.org; dkim=none; spf=pass (mx1.freebsd.org: domain of mike@sentex.net designates 2607:f3e0:0:1::12 as permitted sender) smtp.mailfrom=mike@sentex.net; dmarc=none Received: from pyroxene2a.sentex.ca (pyroxene19.sentex.ca [199.212.134.19]) by smarthost1.sentex.ca (8.16.1/8.16.1) with ESMTPS id 31RCxGcX043527 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=FAIL); Mon, 27 Feb 2023 07:59:16 -0500 (EST) (envelope-from mike@sentex.net) Received: from [IPV6:2607:f3e0:0:4::29] ([IPv6:2607:f3e0:0:4:0:0:0:29]) by pyroxene2a.sentex.ca (8.16.1/8.15.2) with ESMTPS id 31RCxFZT056597 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO); Mon, 27 Feb 2023 07:59:15 -0500 (EST) (envelope-from mike@sentex.net) Content-Type: multipart/alternative; boundary="------------BRI7kI1uN6GUPTt1iPuK1h4w" Message-ID: <2a307fdd-e8de-7949-9f67-01b5833d6c3c@sentex.net> Date: Mon, 27 Feb 2023 07:59:16 -0500 List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.8.0 Subject: Re: Where did "from <__automatic_43ce223_0> come from? Content-Language: en-US To: Dave Horsfall Cc: FreeBSD PF List References: <502D8886-DC95-4BC0-8681-7D117A430825@FreeBSD.org> From: mike tancsa In-Reply-To: <502D8886-DC95-4BC0-8681-7D117A430825@FreeBSD.org> X-Scanned-By: MIMEDefang 2.84 X-Spamd-Result: default: False [-2.40 / 15.00]; NEURAL_HAM_SHORT(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; SUBJECT_ENDS_QUESTION(1.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_SPF_ALLOW(-0.20)[+ip6:2607:f3e0::/32]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; RCVD_IN_DNSWL_LOW(-0.10)[199.212.134.19:received]; MLMMJ_DEST(0.00)[freebsd-pf@freebsd.org]; R_DKIM_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; ASN(0.00)[asn:11647, ipnet:2607:f3e0::/32, country:CA]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RCPT_COUNT_TWO(0.00)[2]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_TLS_ALL(0.00)[]; FREEFALL_USER(0.00)[mike]; ARC_NA(0.00)[]; TO_DN_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; DMARC_NA(0.00)[sentex.net]; MID_RHS_MATCH_FROM(0.00)[] X-Rspamd-Queue-Id: 4PQLDX1R3mz4NZb X-Spamd-Bar: -- X-ThisMailContainsUnwantedMimeParts: N This is a multi-part message in MIME format. --------------BRI7kI1uN6GUPTt1iPuK1h4w Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit On 2/25/2023 3:22 PM, Kristof Provost wrote: > > On 26 Feb 2023, at 9:09, Dave Horsfall wrote: > > FreeBSD aneurin.horsfall.org 10.4-RELEASE-p13 FreeBSD > 10.4-RELEASE-p13 #0: Thu Sep 27 09:21:23 UTC 2018 > root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC i386 > > (Yeah, I'll update soon, when I find a newer box) > > Seen in my daily security run output: > > +block drop in quick inet from <__automatic_43ce223_0> to any [ > Evaluations: 7333 Packets: 4 Bytes: 240 States: 0 ] > > Obviously something created automatically (I don't have anything > faintly > resembling that in my pf.conf), but how? > > It can also show up if you use 'self' e.g eg block log quick from self to block log quick from to self and then view the rules with pfctl -sr it shows up as block drop log quick inet from <__automatic_d351946e_2> to block drop log quick inet from to <__automatic_d351946e_3>     ---Mike > |set ruleset-optimization none Disable the ruleset optimizer. basic > Enable basic ruleset optimization. This is the default behaviour. > Basic ruleset optimization does four things to improve the performance > of ruleset evaluations: 1. remove duplicate rules 2. remove rules that > are a subset of another rule 3. combine multiple rules into a table > when advantageous 4. re-order the rules to improve evaluation > performance profile Uses the currently loaded ruleset as a feedback > profile to tailor the ordering of quick rules to actual network > traffic. It is important to note that the ruleset optimizer will > modify the ruleset to improve performance. A side effect of the > ruleset modification is that per-rule accounting statistics will have > different meanings than before. If per-rule accounting is important > for billing purposes or whatnot, either the ruleset optimizer should > not be used or a label field should be added to all of the accounting > rules to act as optimization barriers. Optimization can also be set as > a command-line argument to pfctl(8), overriding the settings in pf.conf. | > > That’d be case 3. > > Kristof > --------------BRI7kI1uN6GUPTt1iPuK1h4w Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 8bit
On 2/25/2023 3:22 PM, Kristof Provost wrote:

On 26 Feb 2023, at 9:09, Dave Horsfall wrote:

FreeBSD aneurin.horsfall.org 10.4-RELEASE-p13 FreeBSD 10.4-RELEASE-p13 #0: Thu Sep 27 09:21:23 UTC 2018 root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC i386

(Yeah, I'll update soon, when I find a newer box)

Seen in my daily security run output:

+block drop in quick inet from <__automatic_43ce223_0> to any [ Evaluations: 7333 Packets: 4 Bytes: 240 States: 0 ]

Obviously something created automatically (I don't have anything faintly
resembling that in my pf.conf), but how?


It can also show up if you use 'self'

e.g

eg

block log quick from self to <rejects>
block log quick from <rejects> to self

and then view the rules with pfctl -sr it shows up as

block drop log quick inet from <__automatic_d351946e_2> to <rejects>
block drop log quick inet from <rejects> to <__automatic_d351946e_3>

    ---Mike


    

    

    


    

    

      

        

          
 set ruleset-optimization
       none      Disable the ruleset optimizer.
       basic     Enable basic ruleset optimization.  This is the default
                 behaviour.  Basic ruleset optimization does four things to
                 improve the performance of ruleset evaluations:

                 1.   remove duplicate rules
                 2.   remove rules that are a subset of another rule
                 3.   combine multiple rules into a table when advantageous
                 4.   re-order the rules to improve evaluation performance

       profile   Uses the currently loaded ruleset as a feedback profile to
                 tailor the ordering of quick rules to actual network
                 traffic.

       It is important to note that the ruleset optimizer will modify the
       ruleset to improve performance.  A side effect of the ruleset
       modification is that per-rule accounting statistics will have
       different meanings than before.  If per-rule accounting is important
       for billing purposes or whatnot, either the ruleset optimizer should
       not be used or a label field should be added to all of the accounting
       rules to act as optimization barriers.

       Optimization can also be set as a command-line argument to pfctl(8),
       overriding the settings in pf.conf.


          
That’d be case 3.

          
Kristof

        

      

    

  


--------------BRI7kI1uN6GUPTt1iPuK1h4w--