Try flushing the state table too.

-Andy

-----Original Message-----
From: owner-misc@openbsd.org [mailtowner-misc@openbsd.org] On Behalf Of
Jim
Sent: 08 March 2006 03:00
To: misc@openbsd.org
Subject: Why packets are not blocked

When my kid gets grounded I block the gameroom computer from getting to the
internet. The script that runs is

#!/bin/sh -
cp /home/jmays/pf.conf.noGameroom /etc/pf.conf
pfctl -F rules -f /etc/pf.conf
pfctl -F nat -f /etc/pf.conf

The file that becomes the pf.conf file is

# pf.conf.noGameroom file
#
# Define useful variables
#
ExtIF ="dc0" # External Interface
IntIF ="hme0" # Internal Interface
loopbackIF="lo0" # Loopback Interface
#
IntNet ="192.168.100.0/24" # Our internal network
Austin ="192.168.100.129"
Gameroom="192.168.100.130"
NoRouteIPs="{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
#Services="{ ssh, ftp }"
Services="{ ssh }"

# Clean up fragmented and abnormal packets
scrub in all

# nat on dc1 from 192.168.100.0/24 to any -> dc1
nat on $ExtIF from $Gameroom to any tag GAME -> ($ExtIF)
nat on $ExtIF from $IntNet to any -> ($ExtIF)
block out log quick on $ExtIF tagged GAME

#pass anything on loopback
pass out quick on $loopbackIF

# don't allow anyone to spoof non-routeable addresses
block in quick on $ExtIF from $NoRouteIPs to any
block out quick on $ExtIF from any to $NoRouteIPs

# by default, block all incoming packets, except those explicitly
# allowed by further rules
block in on $ExtIF all

# allow others to use allowed services
pass in on $ExtIF inet proto tcp from any to any port $Services \
flags S/SA keep state

# and let out-going traffic out and maintain state on established
connections
# pass out all protocols, including TCP, UDP and ICMP, and create state,
# so that external DNS servers can reply to our own DNS requests (UDP).
block out log on $ExtIF all
pass out log on $ExtIF inet proto tcp all flags S/SA keep state
pass out log on $ExtIF inet proto udp all keep state
pass out log on $ExtIF inet proto icmp all keep state
#


The problem is that if the kid is already logged into AOL Instant messenger,

the connection is not broken. So even though she is grounded, she can still

chat all day on AIM. Why isn't this pf.conf file blocking everything on
that computer?

Here is the tail of the pflog file while she is on

Mar 07 20:30:43.516434 rule 14/0(match): pass out on dc0:
67.174.79.141.60805 > 64.12.174.121.80: S 3652110150:3652110150(0) win 65535

<mss 1460,nop,nop,sackOK> (DF)
Mar 07 20:30:43.739711 rule 14/0(match): pass out on dc0:
67.174.79.141.52657 > 209.62.180.190.80: S 4073040009:4073040009(0) win
65535 <mss 1460,nop,nop,sackOK> (DF)
Mar 07 20:30:43.960820 rule 14/0(match): pass out on dc0:
67.174.79.141.63494 > 216.39.69.77.80: S 3255465945:3255465945(0) win 65535
<mss 1460,nop,nop,sackOK> (DF)
Mar 07 20:30:44.014579 rule 15/0(match): pass out on dc0:
67.174.79.141.60482 > 204.127.202.4.53: 46801+ A? spe.atdmt.com. (31)
Mar 07 20:30:44.063887 rule 14/0(match): pass out on dc0:
67.174.79.141.60937 > 80.67.84.16.80: S 1960373362:1960373362(0) win 65535
<mss 1460,nop,nop,sackOK> (DF)
Mar 07 20:31:02.940879 rule 14/0(match): pass out on dc0:
67.174.79.141.51753 > 204.127.198.10.110: S 2067644325:2067644325(0) win
65535 <mss 1460,nop,nop,sackOK> (DF)


I don't even have 14 rules. Why is this passing on rule 14?

Thanks
Jim