I use OpenBSD's packet filter, PF, and am in the middle of building a new router/firewall with a moderately complex ruleset. I generally code rulesets the same way I write shell scripts: adding small bits and testing. My basic ruleset was preventing routing, and the logs kept telling me that the routing packets were being blocked by a rule that I thought shouldn't.

PF has a feature called "antispoof" that builds a set of rules that block packets that claim to originate from interfaces they shouldn't. The rule looks something like:


@16 block drop in log on ! vlan1 inet from 192.0.2.0/24 to any
[ Evaluations: 9907 Packets: 9283 Bytes: 794994 States: 0 ]
[ Inserted: uid 0 pid 2131 ]


Now, 192.0.2.0/24 (example) is the network I should be getting RIP packets from, and there is an explicit rule that allows those packets in the ruleset. So, why are the packets being blocked?!

Here's the part where I say aloud "Ohhhhhhhh!" and headdesk (from tcpdump):


000000 rule 16/0(match): block in on re0: (tos 0x0, ttl 1, id 53257, offset 0, flags [none], proto UDP (17), length 72) 192.0.2.254.520 > 192.0.2.255.520:
RIPv1, Response, length: 44, routes: 2[|rip]
0x0000: 0201 0000


The external interface is re0 on which I have tied multiple VLAN interfaces. The antispoof rule sees the packet come in on re0, and blocks, because it expects packets in that netblock only on vlan1.

Bookmark/Search this post with:

delicious | digg | technorati