Fwd: pf problems
Daniel Hartmeier
daniel at benzedrine.cx
Mon Aug 8 14:54:30 GMT 2005
On Mon, Aug 08, 2005 at 06:18:28PM +0400, Sergey Lapin wrote:
> It does not help. Actually, it looks like pf does not have control
> over outgoing packets produced by pf itself. I can not neither block
> nor reroute these packets. I checked this very easily - I created a
> rule
>
> block out log quick from SOME_OUTSIDE_HOST/32 to any
> block out log quick from any to SOME_OUTSIDE_HOST/32
>
> and made it very first rules of the firewall. Needless to say, when I
> tried to telnet to router port 9999 from SOME_OUTSIDE_HOST, tcpdump on
> the pflog0 device got incoming SYN but did not show RST. From the
> other hand, tcpdump on the default gateway interface shown outgoing
> RST. Again, from this I conclude that pf-generated packets (RST/ICMP)
> are not subject for ruleset processing.
No, they are not.
You can try a 6.0 RC containing a newer version of pf which sends TCP
RSTs (generated by 'return-rst') back out through the interface the
blocked packet came in through.
Alterantively, use multiple filtering devices, one in front of each
uplink.
Daniel
More information about the freebsd-pf
mailing list