Packet Fence evaluations


  • Moderator

    Is it correct for packet fence to be increment the "Match" count when an inbound packet doesn't match the Firewall rule inbound port settings?

    Do these rules need any further settings?

    IE: There are five rules that have logging enabled:

    Inbound  - block 80 tcp, block 443 tcp, block 80 udp, block 80 tcp
    Outbound - Block any any

    However, packet fence is pre-maturely counting packets as a match. These packets are not logged to the Firewall logs. So I assume, that the "Match" count is being incremented with any Inbound packet regardless of the defined "Inbound Ports" in the rules.

    pfctl -vv -sr | grep 'pfB_Asia'

    @96(1770001764) block drop in log quick on em0 reply-to (em0 x.x.x.x) inet proto tcp from <pfb_asia_v4:4052> to any port = http label "USER_RULE: pfB_Asia_v4"
    @97(1770001764) block drop in log quick on em0 reply-to (em0 x.x.x.x) inet proto tcp from <pfb_asia_v4:4052> to any port = 443 label "USER_RULE: pfB_Asia_v4"
    @98(1770001764) block drop in log quick on em0 reply-to (em0 x.x.x.x) inet proto udp from <pfb_asia_v4:4052> to any port = http label "USER_RULE: pfB_Asia_v4"
    @99(1770001764) block drop in log quick on em0 reply-to (em0 x.x.x.x) inet proto udp from <pfb_asia_v4:4052> to any port = 443 label "USER_RULE: pfB_Asia_v4"
    @143(1770001893) block return in log quick on em1 inet from any to <pfb_asia_v4:4052> label "USER_RULE: pfB_Asia_v4"</pfb_asia_v4:4052></pfb_asia_v4:4052></pfb_asia_v4:4052></pfb_asia_v4:4052></pfb_asia_v4:4052>
    

    pfctl -vvsTables | grep -A10 'pfB_Asia'

    -pa-r-- pfB_Asia_v4
            Addresses:   4052
            Cleared:     Thu Sep 24 16:23:31 2015
            References:  [ Anchors: 0                  Rules: 5                  ]
            Evaluations: [ NoMatch: 1415               Match: 8                  ]
            In/Block:    [ Packets: 0                  Bytes: 0                  ]
            In/Pass:     [ Packets: 0                  Bytes: 0                  ]
            In/XPass:    [ Packets: 0                  Bytes: 0                  ]
            Out/Block:   [ Packets: 0                  Bytes: 0                  ]
            Out/Pass:    [ Packets: 0                  Bytes: 0                  ]
            Out/XPass:   [ Packets: 0                  Bytes: 0                  ]
    
                     <rule><ipprotocol>inet</ipprotocol>
                            <tracker>1770001893</tracker>
                            <type>reject</type>
    
                            <source>
                                    <any><destination><address>pfB_Asia_v4</address></destination> 
                            <log><created><time>1443126205</time>
                                    <username>Auto</username></created> 
                            <interface>lan</interface></log></any></rule> 
                    <rule><ipprotocol>inet</ipprotocol>
                            <tracker>1770001764</tracker>
                            <type>block</type>
    
                            <source>
    
    <address>pfB_Asia_v4</address>
    
                            <destination><any><port>pfBlockerNGports</port></any></destination> 
                            <protocol>tcp/udp</protocol>
                            <log><created><time>1443126205</time>
                                    <username>Auto</username></created> 
                            <interface>wan</interface></log></rule> 
    

    grep 'pfB_Asia' /tmp/rules.debug

    table <pfb_asia_v4> persist file "/var/db/aliastables/pfB_Asia_v4.txt"
    pfB_Asia_v4 = "<pfb_asia_v4>"
    
    block  in log  quick  on $WAN reply-to ( em0 x.x.x.x ) inet proto { tcp udp }  from $pfB_Asia_v4 to any port $pfBlockerNGports tracker 1770001764  label "USER_RULE: pfB_Asia_v4"
    
    block return  in log  quick  on $LAN inet from any to $pfB_Asia_v4 tracker 1770001893  label "USER_RULE: pfB_Asia_v4"</pfb_asia_v4></pfb_asia_v4>
    

  • Banned

    
    -pa-r-- pfB_Europe_v4
            Addresses:   2139
            Cleared:     Thu Sep 24 15:24:27 2015
            References:  [ Anchors: 0                  Rules: 2                  ]
            Evaluations: [ NoMatch: 8220843            Match: 6069980            ]
            In/Block:    [ Packets: 0                  Bytes: 0                  ]
            In/Pass:     [ Packets: 120                Bytes: 21894              ]
            In/XPass:    [ Packets: 0                  Bytes: 0                  ]
            Out/Block:   [ Packets: 0                  Bytes: 0                  ]
            Out/Pass:    [ Packets: 198                Bytes: 66038              ]
            Out/XPass:   [ Packets: 0                  Bytes: 0                  ]
    
    

    The rule is allow inbound OpenVPN without logging, the VPN has pretty much no traffic… NFC what are these counters doing here.


  • Moderator

    Hoping for one of the Devs to chime in on this if possible?  :)

    Thanks!


  • Moderator

    Guess posting this in redmine would be the next step?


  • Banned

    Apparently…


Log in to reply