Re: How to skip broadcast in pf logs

From: FM (fakta99_at_yahoo.se)
Date: 09/24/03 

Date: 23 Sep 2003 16:19:00 -0700

Daniel Hartmeier <daniel@benzedrine.cx> wrote in message news:<slrnbn0uv1.8n4.daniel@insomnia.benzedrine.cx>...
> On 23 Sep 2003 08:44:21 -0700, FM wrote:
>
> > No 'log' word and added 'quick'. These annoying broadcast packets are
> > still loged, in spite of my attempts to avoid it. Why?
>
> Make sure you have successfully reloaded the ruleset after editing it.
> pfctl -f /etc/pf.conf should produce no error message, and pfctl -sr
> should show the newly loaded rules. If those block rules really come
> first, they should drop matching packets without logging. Show us
> a pflog entry, maybe the reason for logging is not matching a log
> rule, but IP options or short packets.
>
> > And how do I track a certain rule number. For example, rule #34,
> > "17:38:10.370695 rule 34/0(match): block in on.."
> > 'pfctl -s rules' doesn't show number of each rule.
>
> pfctl -vvsr prints @nr in front of each rule, those numbers relate
> to the numbers mentioned by pflog.
>
> Daniel

The ruleset loads fine. I flushed old states and reloaded
/etc/pf.conf. These are simplified pf rules and they still log
255.255.255.255 packets.
=========================================================================
# MACROS
  ExtIF="fxp0"
  Nonroutables="{ 0.0.0.0/8, 10.0.0.0/8, 127.0.0.0/8, \
                  169.254.0.0/16, 172.16.0.0/12, 192.0.2.0/24, \
                  192.168.0.0/16, 204.152.64.0/23, \
                  224.0.0.0/3, 255.255.255.255/32 }"

# OPTIONS
  set loginterface $ExtIF

# NORMALIZATION
  scrub in all

# TRANSLATION
  nat on $ExtIF from 192.168.10.10 to any -> ($ExtIF)

# FILTERING
# Don't bloat logs
  block in quick on $ExtIF inet proto { tcp, udp } \
  from any to port { 137, 138, 139 }

# Stop non-routable addresses and network noise
  block in quick on $ExtIF from $Nonroutables to any
  block out quick on $ExtIF from any to $Nonroutables
  block in quick on $ExtIF inet proto igmp from any to any
  block out quick on $ExtIF inet proto igmp from any to any

  block in log on $ExtIF all

# pass all outgoing tcp, udp and imcp packets and keep state
  block out on $ExtIF all
  pass out on $ExtIF proto tcp all modulate state
  pass out on $ExtIF proto udp all keep state
  pass out on $ExtIF proto icmp all keep state
=========================================================================

An excerpt from /var/log/pflog:

#tcpdump -q -e -n -r /var/log/pflog | grep 255.255.255.255
22:35:31.992973 rule 34/0(match): block in on fxp0:
130.236.236.187.9778 > 255.255.255.255.8777: udp 6
22:43:12.948382 rule 34/0(match): block in on fxp0:
130.236.237.143.3531 > 255.255.255.255.3531: udp 25
00:23:38.861353 rule 34/0(match): block in on fxp0:
130.236.226.139.2302 > 255.255.255.255.6073: udp 21

..and so on. Rule #34 is identified by 'pfctl -vvsr' as:

@34 block drop in log on fxp0 all
[ Evaluations: 149 Packets: 47 Bytes: 5791 States:
0 ]

The question is why packets to 255.255.255.255 get loged when rule #34
is preceded by rules, with 'quick' and no 'log' words. These should
immediately take care of broadcast packets.

-FM