# pf not execute udp port specific block rule



## seaquest (Oct 13, 2013)

The traffic I want to block can be sniffed as below with tcpdump:


```
19:16:22.391164 IP 95.95.95.95.2036 > 10.10.10.10.443: UDP, length  8192
```

So I wanted to write a rule block any UDP destination port 443 traffic.


```
block drop quick on igb3 inet proto udp to any port 443   Traffic does not match and does not blocked.
```

However, It matches and blocks if I write rule as below:


```
block drop quick on igb3 inet proto udp to 10.10.10.10
```

Do you have any remarks?

I am using PF in FreeBSD 10 Alpha 2.


----------



## J65nko (Oct 13, 2013)

You have to keep in mind that pf  uses a "last matching rule wins" strategy. Using "quick" is the method to prevent this strategy.
The rules are also processed sequentially so there is an earlier rule that uses "quick" to pass port 443 traffic.

You can check which rules are are being evaluated and actually act on packets by inspecting the output of `# pfctl -vvs rules` that produces output like this:


```
@16 pass out quick on re0 inet proto udp from ww.xx.yy.zz to any port = domain keep state
  [ Evaluations: 7690      Packets: 3646      Bytes: 467064      States: 1     ]
  [ Inserted: uid 0 pid 10284 State Creations: 1808  ]
```


----------



## seaquest (Oct 13, 2013)

I am sure that no rules are allowing. I have also added these rules at the top of pf.conf. The result was the same  Also when I enabled both rules; I can see that the second rule is working, not the first.



```
@1 block drop quick on igb3 inet proto udp from 95.95.95.95 to any port = https
  [ Evaluations: 14045362  Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 78269 State Creations: 0     ]
@2 block drop quick on igb3 inet proto udp from any to 10.10.10.10
  [ Evaluations: 14045362  Packets: 3531832   Bytes: 4898178449  States: 0     ]
  [ Inserted: uid 0 pid 78269 State Creations: 0     ]
```


----------



## J65nko (Oct 14, 2013)

You are using two different "from" as well as two different "to" specifications.


```
Rule 1 "from" : 95.95.95.95
Rule 2 "from" : any

Rule 1 "to" : any port=https
Rule 2 "to" : 10.10.10.10.10
```
This is like comparing apples with peaches 

What is the source address of the blocked packets when you add "log" to your second rule? You can see the logged blocked traffic with `# tcpdump -tttt -eni pflog0 udp`

If you insert the following rule before rule 2, does it match?

```
block drop quick on igb3 inet proto udp from any to 10.10.10.10 port=https
```


----------

