pf not execute udp port specific block rule

S

seaquest

The traffic I want to block can be sniffed as below with tcpdump:

Code: 
19:16:22.391164 IP 95.95.95.95.2036 > 10.10.10.10.443: UDP, length  8192

So I wanted to write a rule block any UDP destination port 443 traffic.

Code: 
block drop quick on igb3 inet proto udp to any port 443   Traffic does not match and does not blocked.

However, It matches and blocks if I write rule as below:

Code: 
block drop quick on igb3 inet proto udp to 10.10.10.10

Do you have any remarks?

I am using PF in FreeBSD 10 Alpha 2.
 
You have to keep in mind that pf uses a "last matching rule wins" strategy. Using "quick" is the method to prevent this strategy.
The rules are also processed sequentially so there is an earlier rule that uses "quick" to pass port 443 traffic.

You can check which rules are are being evaluated and actually act on packets by inspecting the output of # pfctl -vvs rules that produces output like this:

Code: 
@16 pass out quick on re0 inet proto udp from ww.xx.yy.zz to any port = domain keep state
  [ Evaluations: 7690      Packets: 3646      Bytes: 467064      States: 1     ]
  [ Inserted: uid 0 pid 10284 State Creations: 1808  ]
 
I am sure that no rules are allowing. I have also added these rules at the top of pf.conf. The result was the same Also when I enabled both rules; I can see that the second rule is working, not the first.


Code: 
@1 block drop quick on igb3 inet proto udp from 95.95.95.95 to any port = https
  [ Evaluations: 14045362  Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 78269 State Creations: 0     ]
@2 block drop quick on igb3 inet proto udp from any to 10.10.10.10
  [ Evaluations: 14045362  Packets: 3531832   Bytes: 4898178449  States: 0     ]
  [ Inserted: uid 0 pid 78269 State Creations: 0     ]
 
You are using two different "from" as well as two different "to" specifications.

Code: 
Rule 1 "from" : 95.95.95.95
Rule 2 "from" : any

Rule 1 "to" : any port=https
Rule 2 "to" : 10.10.10.10.10
This is like comparing apples with peaches ;)

What is the source address of the blocked packets when you add "log" to your second rule? You can see the logged blocked traffic with # tcpdump -tttt -eni pflog0 udp

If you insert the following rule before rule 2, does it match?
Code: 
block drop quick on igb3 inet proto udp from any to 10.10.10.10 port=https
 
You must log in or register to reply here.
Back
Top