[Dshield] OpenBSD 3.1/pf
janj+dshield at wenf.org
Mon Aug 5 04:51:04 GMT 2002
On Sun, Aug 04, 2002 at 01:05:12PM -0500, millerbn wrote:
>On Sat, 3 Aug 2002 22:56:11 +0200, you wrote:
>>On Sat, Aug 03, 2002 at 02:00:21PM -0500, millerbn wrote:
>>>pass in quick on $external inet proto tcp from any to any port
>>>$services flags S/SA keep state
>>In as comming from the network going IN to the interface.
>>>The mail log does show that there was an outgoing email to the
>>"outgoing mail", so the rule you show does not match the
>>Send your full pf.conf and nat.conf and someone might be able
>>to help you. And maybe this is better on misc at openbsd.org ?
>Guess I should have included "return" between legitimate traffic
>in the prior message.
That was exactly my point. Traffic goes out a TCP packet with
SYN. The reply is a TCP packet with SYN+ACK. The rule you show
only allow a TCP packet with SYN and not SYN+ACK. You are missing
a "pass out on $external protot tcp all keep state" but that is
impossible to see has you have given absolutley no info about:
- Your network layout
- Your compleate packet filter
- Your blocking policy
>The timestamps for outgoing mail logs preceeded the pf logs and
>they were blocked coming in to the interface. I assumed most of
>the readers were used to firewall logs and might be quicker at
>spotting latent packets, which was my first guess - just wanted
>a little reassurance; also hoped someone would spot a mistake
>that I had missed if there was one.
Your misstake is that you provide no info.
More information about the list