"trondd" <tro...@kagu-tsuchi.com> wrote:
> If you have an anchor in your pf ruleset, a packet that matches a rule
> with a log directive will reflect the rule number of the last anchor
> definition instead of the rule that caused the logging.
>
> My first rule in pf.conf is 'block log (all) all'. In 6.1, packets
> matching the block rule will show rule 1 as the matching rule. Since 6.2
> and in current (not sure when during 6.2's development this started) the
> same blocked packet will show the rule number of the last anchor in the
> ruleset as the matching rule.
>
I found that this was introduced in R1.1024 of pf.c which makes sense given
that the commit reworks anchor stacks.
A simplified pf.conf to demonstrate what I am seeing:
set skip on lo
block log all
pass out proto { udp tcp } to any port { ssh http https domain }
anchor "test"
Tim.
>
> This is what I expact, and do get when no anchor is defined:
>
> root@portabsd:~$ pfctl -sr -R1
> block return log (all) all
>
> root@portabsd:~$ tcpdump -nettti pflog0 action block
> tcpdump: WARNING: snaplen raised from 116 to 160
> tcpdump: listening on pflog0, link-type PFLOG
> Oct 11 20:43:58.834603 rule 1/(match) block in on iwm0: 192.168.1.3.5353 >
> 224.0.0.251.5353: 0 [17q][|domain]
> Oct 11 20:43:58.837980 rule 1/(match) block in on iwm0:
> fe80::8c2:5295:cd0e:f5e4.5353 > ff02::fb.5353: 0 [17q][|domain] [flowlabel
> 0x84d6b]
> Oct 11 20:44:18.233207 rule 1/(match) block in on iwm0: 192.168.1.3.52286
> > 192.168.1.15.445: S 176378676:176378676(0) win 65535 <mss
> 1460,nop,wscale 5,nop,nop,timestamp 2314135130 0,[|tcp]> (DF) [tos 0x10] ^C
> 3 packets received by filter
> 0 packets dropped by kernel
>
>
> Add a bogus 'anchor "test"' to the bottom of pf.conf and reload. Hit the
> system with blockable traffic again:
>
> root@portabsd:~$ tcpdump -nettti pflog0 action block
> tcpdump: WARNING: snaplen raised from 116 to 160
> tcpdump: listening on pflog0, link-type PFLOG
> Oct 11 20:44:50.038509 rule 43/(match) block in on iwm0: 192.168.1.3.52289
> > 192.168.1.15.445: SWE 3438533119:3438533119(0) win 65535 <mss
> 1460,nop,wscale 5,nop,nop,timestamp 2314166871 0,[|tcp]> (DF) [tos 0x10] ^C
> 1 packets received by filter
> 0 packets dropped by kernel
>
> root@portabsd:~$ pfctl -sr -R1
> block return log (all) all
>
> root@portabsd:~$ pfctl -sr -R 43
> anchor "test" all
>
>
> My cleaned up pf.conf used in the above reproductions:
>
> wan_services = "{ http https pop3s imaps smtps whois 11371 ssh 53589 8008 }"
> set skip on { lo enc }
> match in all scrub (no-df random-id reassemble tcp)
> set block-policy return
> block log (all) all
> antispoof quick for egress
> vm_net = "{ 10.10.10.0/24 }"
> match out on egress inet from $vm_net to any nat-to (egress:0)
> pass in quick on vether0 from $vm_net to any
> pass out quick proto { tcp udp } to 192.168.1.1 port 53
> pass out quick proto tcp to any port { 6667 6697 } user irc
> block out quick proto { udp tcp } user irc
> pass out quick proto tcp to any port $wan_services
> pass out quick proto { udp } to any port 123
> pass quick proto udp to any port { 67 68 }
> pass out quick proto icmp all
> pass quick inet proto icmp all icmp-type unreach code needfrag
> pass out quick proto udp to port 33433 >< 33626
> block in quick from 192.168.1.1 to 224.0.0.1
> vpn_dest = "{ xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx }"
> pass in on egress proto esp from $vpn_dest to (self)
> pass out on egress proto esp from (self) to $vpn_dest
> pass in on egress proto udp from $vpn_dest to (self) port { isakmp
> ipsec-nat-t }
> pass out on egress proto udp from (self) to $vpn_dest port { isakmp
> ipsec-nat-t }
> pass in log quick proto tcp from 192.168.1.0/24 to (self) port ssh pass
> quick on egress proto tcp to any port 22000
> anchor "test"
