Unexpected pf behavior
Doug Hardie
bc979 at lafn.org
Sat May 10 22:04:15 UTC 2014
I have a pf rule (FreeBSD 9.2) that uses a table to block access from specific networks. This morning I found the following situation:
12 attempts from an address in one of the blocked network to access the server. All were blocked and marked as such with the proper rule number in pflog.
10 succeeding connections that were passed through to the port. These were logged by the process listening on that port.
There were no changes to the rules, reboots, etc. during that time. This all transpired in about 10 minutes. A dump of the table shows the proper address range. I am not logging the pass throughs so only the original 12 blocks are in the logs. I have never seen anything like this in the past. Is there some way I can test a specific IP address and have pf tell me what it would do if it received a packet from that address?
More information about the freebsd-pf
mailing list