IMAP server talks back PF blocks
Jeremy Chadwick
koitsu at FreeBSD.org
Mon Sep 22 15:38:07 UTC 2008
On Mon, Sep 22, 2008 at 01:53:02PM +0200, Leslie Jensen wrote:
> When doing
> tcpdump -n -e -ttt -i pflog0
>
> I frequently see packets blocked that looks like this
>
> 458660 rule 0/0(match): block in on em0: xxx.yyy.zzz.qqq.993 >
> qqq.zzz.yyy.xxx.59930: tcp 8 [bad hdr length 12 - too short, < 20]
>
> It's the IMAP server I'm using that tries to talk back. Is this
> something I should try to let through?
The blocks are happening, but you're not able to see the full data in
the packet due to the snaplen on tcpdump being too small. Add -s 256 to
your tcpdump argument and run it again.
It looks to me like you have a rule problem; possibly IMAP+SSL isn't
being permitted through, so the block ends up happening as a result of
an ambiguous "block in on em0" rule you have.
--
| Jeremy Chadwick jdc at parodius.com |
| Parodius Networking http://www.parodius.com/ |
| UNIX Systems Administrator Mountain View, CA, USA |
| Making life hard for others since 1977. PGP: 4BD6C0CB |
More information about the freebsd-pf
mailing list