Menu
I have an issue that my pf logs many packets that it's not supposed to log. I reproduced it with almost empty pf.conf: set skip on lo and it still logs some packets. I think that all those packets have ICMP6 type and they do not really belong to my computer, I have no idea why am I receiving them, but I don't have control over it. You can download the example pf.conf here by doing a 'save as' or just. This also adds a lot of problems since every computer playing must.
PF firewall configuration for OS X 10.7 and later. This is a complete package with custom launchd item and control scripts. There's also a Makefile for creating the installer package with luggage.
- /Library/LaunchDaemons/com.github.hjuutilainen.pf.plist
- Launchd item which starts the firewall on boot. Basically calls /usr/local/bin/pf-control.sh with restart argument.
- /etc/com.github.hjuutilainen.pf.conf
- The main configuration file. We're not modifying the default /etc/pf.conf since Apple seems to modify it in their OS updates. Instead, in this file we call include /etc/pf.conf and add our own configuration.
- /etc/pf.anchors/com.github.hjuutilainen.pf.macros
- The macro file where we define trusted IP addresses and groups. This file is included by the default and custom rule files so anything you define here can be used when writing rules.
- /etc/pf.anchors/com.github.hjuutilainen.pf.rules
- The actual rule file.
- /etc/pf.anchors/com.github.hjuutilainen.pf.custom
- The custom rule file. Intended for client specific rules and local editing. The installer creates this in postflight script if it doesn't exist.
- /etc/pf.anchors/com.github.hjuutilainen.pf.d
- This is a directory which can contain custom rules as files. Intended for the situation where some third-party application requires some special firewall rules. Create a file (programmatically) in this folder and it will be included in the final ruleset.
- /usr/local/bin/pf-control.sh
- Control script for the firewall. Usage: pf-control.sh start|stop|restart
- /usr/local/bin/pf-restart.sh
- Helper script to quickly unload and load the launchd item.
- ./Makefile
- The Makefile for luggage. To create the installer package, run make pkg in this directory.
- ./postflight
- Installer postflight script. Loads the firewall if installed on startup disk.
- ./preflight
- Installer preflight script. Unloads the launchd item (if loaded) and takes a backup of the files about to be overwritten (to /var/backups/).
Active30 days ago
I have an issue that my pf logs many packets that it's not supposed to log. I reproduced it with almost empty pf.conf:
![Examples Of Pf.conf For Desktops Examples Of Pf.conf For Desktops](/uploads/1/2/6/2/126245887/909513584.jpg)
and it still logs some packets. I think that all those packets have ICMP6 type and they do not really belong to my computer, I have no idea why am I receiving them, but I don't have control over it.
Here's example of packet (received with tcpdump on pflog0):
so my question is: where can I read about those default match rules and how do I disable those logs.
I tried to explicitly match those packets with something like
pass in on vio0
(without logging statement), but they are still logged, probably because of that mysterious default match which marks the packet to be logged.vbezhenarvbezhenar
1 Answer
I have no idea why am I receiving them
It's multicast traffic.
where can I read about those default match rules
Well, the thing in whole is partially documented but it's not that obviously tracked back from the issue you're seeing.
From
man pf.conf
(markupis mine):…
allow-opts — By default, packets with IPv4 options or IPv6 hop-by-hop or destination options header are blocked. When allow-opts is specified for a pass rule, packets that pass the filter based on that rule (last matching) do so even if they contain options.
…
—
HBH
you're seeing in logs is exactly that 'hop-by-hop'.My theory is: Pf's developers decided that since that kind of traffic is to be blocked even if there's a
pass
rule (which seemingly is by default there in your case) it would make sense to whistle-blow harder, that's why you're getting it logged.and how do I disable those logs
As suggested in the man page you can fix that by introducing a
pass
rule with allow-opts
explicitly given:pass allow-opts
7,37822 gold badges1616 silver badges3838 bronze badges