This is -current/i386 serving as a gateway for a home network.
See the full pf.conf below (it does the obvious: let everything out,
rdr-to the internal www server, pass internal services such as dns,
block everything else).
Now /var/log/pflog gets filled with what one could expect -
bad guys trying to connect to services I don't even run:
06:16:03.134986 211.161.192.17.6000 > 192.168.167.1.ms-sql-s: S
1081278464:10812 78464(0) win 16384
But among these, there are also sequences such as this one:
11:38:34.334707 mac.stare.cz.51157 > www.ihned.cz.www: F 0:0(0) ack 1 win 65535
<nop,nop,timestamp 743239087 3983291520> (DF)
11:38:34.334755 mac.stare.cz.51156 > www.ihned.cz.www: F 0:0(0) ack 1 win 65535
<nop,nop,timestamp 743239087 3989688120> (DF)
11:38:34.334797 mac.stare.cz.51152 > www.ihned.cz.www: F 0:0(0) ack 1 win 65535
<nop,nop,timestamp 743239087 3983291519> (DF)
11:38:35.436357 mac.stare.cz.51223 > www.ihned.cz.www: F 0:0(0) ack 1 win 65535
<nop,nop,timestamp 743239098 3983291489> (DF)
11:38:35.436405 mac.stare.cz.51191 > www.ihned.cz.www: F 0:0(0) ack 1 win 65535
<nop,nop,timestamp 743239098 3983291492> (DF)
11:38:35.436450 mac.stare.cz.51185 > www.ihned.cz.www: F 0:0(0) ack 1 win 65535
<nop,nop,timestamp 743239098 3983291489> (DF)
That's an internal client sending FIN packets (to the webserver
www.ihned.cz of a newspaper I read), which gets blocked.
How does such a thing ever happen?
Speculation: this looks to me like an end of a valid http session:
an internal clients reads a web page, and probably a few images,
everything goes through, but the last FIN does not. The first SYN
creates state that lets the subsequent packets through. Doesn't the
last FIN belong to the same state? Also, this is an outgoing packet,
which I explicitly allow.
What can possibly be blocking these FIN packets?
Thank you for your time.
Jan
ext="vr0" # external
int="vr1" # internal
dmz="vr2" # dmz
stare="192.168.222.2" # the dmz server
phone="192.168.111.9" # the voip phone
set skip on lo
set block-policy drop
match in all scrub (no-df max-mss 1440)
antispoof log quick for { lo $ext $int $dmz }
block log all
pass in on $int proto icmp from any to ($int)
pass in on $int proto { tcp udp } from any to ($int) port bootps
pass in on $int proto { tcp udp } from any to ($int) port domain
pass in on $int proto tcp from any to ($int) port ssh
pass in on $int from any to !($int) tag INT
pass out on $int proto udp from any to $phone port sip
pass out on $int proto tcp from any to any port ssh
pass out on $int proto icmp
pass in on $dmz proto icmp from any to ($dmz)
pass in on $dmz proto tcp from any to ($dmz) port ssh
pass in on $dmz proto { tcp udp } from any to ($dmz) port domain
pass in on $dmz from any to !($dmz) tag DMZ
pass out on $dmz proto { tcp udp } from any to $stare port 6881
pass out on $dmz proto tcp from any to $stare port { ssh www smtp }
pass out on $dmz proto icmp
pass in on $ext proto icmp
pass in on $ext proto udp from any to ($ext) port domain
pass in on $ext proto tcp from any to ($ext) port domain
pass in on $ext proto tcp from any to ($ext) port ssh rdr-to $stare
pass in on $ext proto tcp from any to ($ext) port www rdr-to $stare
pass in on $ext proto tcp from any to ($ext) port smtp rdr-to $stare
pass in on $ext proto tcp from any to ($ext) port 6881 rdr-to $stare
pass in on $ext proto udp from any to ($ext) port 6881 rdr-to $stare
pass in on $ext proto udp from any to ($ext) port 5060 rdr-to $phone
pass out quick on $ext tagged INT nat-to ($ext)
pass out quick on $ext tagged DMZ nat-to ($ext)
pass out on $ext
