Hello!
I've got some troubles in my testing network and noticed that PF doesn't block traffic properly.
My FreeBSD 12.1 machine has 2 interfaces, the both are in the same L2 segment:
em0 - LAN 192.168.17.92
em1 - WAN 192.168.170.92
pf.conf:
In that network I've got udp packets that come to both interfaces simultaneously:
Behavior of PF is:
At the moment it doesn't matter why there are such packets, another thing is interesting for me: why does PF pass out this traffic?
I've got some troubles in my testing network and noticed that PF doesn't block traffic properly.
My FreeBSD 12.1 machine has 2 interfaces, the both are in the same L2 segment:
em0 - LAN 192.168.17.92
em1 - WAN 192.168.170.92
pf.conf:
Code:
nat log on em1 from 192.168.17.0/24 to any -> { 192.168.170.92 }
block in log on em1 all tag BLOCK
pass out log on em1 all tag PASS
block in log on em0 all tag BLOCK
pass out log on em0 all tag PASS
pass in log quick on em0 proto tcp from 192.168.17.0/24 to self port 22 tag PASS
block quick log tagged BLOCK
In that network I've got udp packets that come to both interfaces simultaneously:
Code:
16:16:42.223247 f4:4d:30:e3:d9:f0 > 00:e0:4c:68:00:01, ethertype IPv4 (0x0800), length 154: 192.168.0.10.162 > 192.168.0.10.162: C=dd_cc_62_6c_69_63 Trap(97) .1.3.6.1.4.1.3183.1.1 192.168.0.10 enterpriseSpecific s=2453248 1014325720 .1.3.6.1.4.1.3183.1.1.1=00_11_22_33_44_55_66_77_88_99_aa_bb_cc_dd_ee_ff_1c_cf_00_00_00_00_ff_ff_50_68_01_c8_01_17_00_00_00_00_00_00_00_00_00_19_00_00_6a_92_22_11_c1
Behavior of PF is:
Code:
00:00:08.436901 rule 9/0(match): block in on em0: 192.168.0.10.162 > 192.168.0.10.162: C=dd_cc_62_6c_69_63 Trap(97) .1.3.6.1.4.1.3183.1.1 192.168.0.10 enterpriseSpecific s=2453248 1014325720 .1.3.6.1.4.1.3183.1.1.1=00_11_22_33_44_55_66_77_88_99_aa_bb_cc_dd_ee_ff_1c_cf_00_00_00_00_ff_ff_50_68_01_c8_01_17_00_00_00_00_00_00_00_00_00_19_00_00_6a_92_22_11_c1
00:00:00.000187 rule 9/0(match): block in on em1: 192.168.0.10.162 > 192.168.0.10.162: C=dd_cc_62_6c_69_63 Trap(97) .1.3.6.1.4.1.3183.1.1 192.168.0.10 enterpriseSpecific s=2453248 1014325720 .1.3.6.1.4.1.3183.1.1.1=00_11_22_33_44_55_66_77_88_99_aa_bb_cc_dd_ee_ff_1c_cf_00_00_00_00_ff_ff_50_68_01_c8_01_17_00_00_00_00_00_00_00_00_00_19_00_00_6a_92_22_11_c1
00:00:00.000128 rule 1/0(match): pass out on em1: 192.168.0.10.162 > 192.168.0.10.162: C=dd_cc_62_6c_69_63 Trap(97) .1.3.6.1.4.1.3183.1.1 192.168.0.10 enterpriseSpecific s=2453248 1014325720 .1.3.6.1.4.1.3183.1.1.1=00_11_22_33_44_55_66_77_88_99_aa_bb_cc_dd_ee_ff_1c_cf_00_00_00_00_ff_ff_50_68_01_c8_01_17_00_00_00_00_00_00_00_00_00_19_00_00_6a_92_22_11_c1
At the moment it doesn't matter why there are such packets, another thing is interesting for me: why does PF pass out this traffic?