Re: PF and spoofed traffic

[Jason Opperisano <opie_(_at_)_817west_(_dot_)_com>]

On Fri, Oct 08, 2004 at 02:51:16PM +0200, Creative Consulting wrote:
> Hi,
> 
> I've been testing something for a friend of mine who was experiencing worm 
> activities on his OpenBSD 3.4 web server. Using hping on one device I sent 
> packets to my webserver (other system) with PF running. The packets have a 
> spoofed source address 127.0.0.1, spoofed tcp source port 80 and 
> destination port >1025. That way it would look like a response from a 
> webserver that is locally running. The command I used was "hping -a 
> 127.0.0.1 -s 80 -k -p ++1025 $myremotewebserver", and I ran tcpdump on the 
> external interface of the target server and to the pflog interface. The 
> spoofed packets hit the external interface and tcpdump shows the packets 
> but tcpdump on pflog0 doesn't show any output. Other denied traffic is 
> getting logged, only those packets with spoofed source address 127.0.0.1 
> aren't getting logged. Even with a simple PF ruleset  (just block log all) 
> those packets aren't showing up. I'm sure the packets are being dropped 
> because they only appear on the external interface but I'm a little 
> surprised because I don't see them logged by pflog. Is this normal 
> behaviour for pflog and am I missing something ?

yeah--openbsd's networking code drops packets received from 127.0.0.1 "on the wire" before PF ever sees it.

-j

-- 
Jason Opperisano <opie_(_at_)_817west_(_dot_)_com>