[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-pf
Subject:    Re: explanation of blocked packets
From:       davidh <davidh () wmis ! net>
Date:       2005-03-31 21:19:01
Message-ID: 20050331211901.GB27204 () mindcry ! org
[Download RAW message or body]

On Thu, Mar 31, 2005 at 02:12:12PM +0100, Bob wrote:
> davidh@wmis.net wrote:
> > Why are the following packets being blocked?  I know that I have flags
> > S/SA modulate state, and that F or FP do not match S/SA, but does that
> > matter since its in state?
> 
> If I remember correctly, S/SA means "only accept flags where out of S 
> and A, only S is set". I.e. that pattern is only checking the S and A 
> flags, and couldn't care less about F or P.
> 
> However, in the packets that seem blocked, the S flag is not set, so 
> those packets will not pass the rule you have to allow stuff out of 
> $ext_if, and the last rule to match will be rule 0/0, which you have set 
> to "block log-all all".
> 
> You should find out what is creating the packets you see, and determine 
> why they are not setting the S flag.
> 
> Once a session has begun, the return packet, and all further reply 
> packets for that session, should be automatically allowed in/out because 
> you have turned on stateful inspection for outgoing packets. So the 
> packets you see blocked are likely the first packets with the 
> destination and source address that you see in the log. Why they don't 
> have the S flag set, I'm not sure.
> -- 
> Bob
> 

The mail server is postfix.  Basically, S/SA is for initiating the connection, and \
after its added to the state, it shouldn't matter what flags are passed.

You are thinking these packets with F and FP are initial packets for a new \
connection?

I am not so sure about that.


[prev in list] [next in list] [prev in thread] [next in thread]