[Dshield] OpenBSD 3.1/pf

millerbn millerbn at chiba.dhs.org
Sat Aug 3 19:00:21 GMT 2002


OpenBSD 3.1/pf is the OS and firewall;

Rule that allows inbound services;

pass in quick on $external inet proto tcp from any to any port $services flags S/SA keep state

Relevant portions of pf.log;

Aug 03 10:51:03.734979 rule 35/0(match): block in on we0: 211.72.210.250.25 > 65.187.137.49.33301: . ack 3049844211 win 8099 <nop,nop,timestamp 580924822 709317980,nop,nop,sack 2 {3722912603:3722912610} [|tcp]> (DF)
Aug 03 11:44:08.483458 rule 35/0(match): block in on we0: 211.72.210.250.25 > 65.187.137.49.33301: F 0:0(0) ack 1 win 8099 <nop,nop,timestamp 581243346 709317980,nop,nop,sack 1 {7:8} > (DF)
Aug 03 11:44:09.338857 rule 35/0(match): block in on we0: 211.72.210.250.25 > 65.187.137.49.33301: F 0:0(0) ack 1 win 8099 <nop,nop,timestamp 581243433 709317980,nop,nop,sack 1 {7:8} > (DF)
Aug 03 11:44:11.079042 rule 35/0(match): block in on we0: 211.72.210.250.25 > 65.187.137.49.33301: F 0:0(0) ack 1 win 8099 <nop,nop,timestamp 581243607 709317980,nop,nop,sack 1 {7:8} > (DF)
Aug 03 11:44:14.558515 rule 35/0(match): block in on we0: 211.72.210.250.25 > 65.187.137.49.33301: F 0:0(0) ack 1 win 8099 <nop,nop,timestamp 581243955 709317980,nop,nop,sack 1 {7:8} > (DF)
Aug 03 11:44:21.518502 rule 35/0(match): block in on we0: 211.72.210.250.25 > 65.187.137.49.33301: F 0:0(0) ack 1 win 8099 <nop,nop,timestamp 581244651 709317980,nop,nop,sack 1 {7:8} > (DF)
Aug 03 11:44:35.821162 rule 35/0(match): block in on we0: 211.72.210.250.25 > 65.187.137.49.33301: F 0:0(0) ack 1 win 8099 <nop,nop,timestamp 581246043 709317980,nop,nop,sack 1 {7:8} > (DF)
Aug 03 11:45:03.672422 rule 35/0(match): block in on we0: 211.72.210.250.25 > 65.187.137.49.33301: F 0:0(0) ack 1 win 8099 <nop,nop,timestamp 581248827 709317980,nop,nop,sack 1 {7:8} > (DF)
Aug 03 11:45:59.375968 rule 35/0(match): block in on we0: 211.72.210.250.25 > 65.187.137.49.33301: F 0:0(0) ack 1 win 8099 <nop,nop,timestamp 581254395 709317980,nop,nop,sack 1 {7:8} > (DF)
Aug 03 11:47:50.782341 rule 35/0(match): block in on we0: 211.72.210.250.25 > 65.187.137.49.33301: F 0:0(0) ack 1 win 8099 <nop,nop,timestamp 581265531 709317980,nop,nop,sack 1 {7:8} > (DF)


The mail log does show that there was an outgoing email to the system so this could be legitimate traffic. I've recently migrated from gnatbox v3.1.3s to the new system. In the past week, I've not seen anything like this with any other system that either mail was sent to or received from. I'm curious as to its nature, latent packets to ignore or an indication that my $services rule needs
modification?

If the complete pf.conf is needed, reply off list for a copy.

OT- Any gotchas with the dshield log parser and OpenBSD 3.1/pf?





More information about the list mailing list