# pf - Question on rule matching



## jnojr (Mar 5, 2014)

I'm getting some logs like:


```
00:00:31.119351 rule 2/8(ip-option): pass in on en0: 172.24.32.41 > 224.0.0.1: igmp query v2
```

Rule 2 is:


```
@2 pass in all flags S/SA keep state
```

I cannot begin to imagine how that rule allowed that packet.

And what's the "/8" in "rule 2/8"?


----------



## usdmatt (Mar 5, 2014)

You say you can't imagine how that rule matched but why did you add that rule to your firewall/what do you expect it to do? To me it seems to allow any inbound connection setup requests, then maintain state so further packets in the same connection are allowed (assuming you have a rule to allow connections already in an open state)



> pass in on fxp0 proto tcp from any to any port ssh flags S/SA
> pass in on fxp0 proto tcp from any to any port ssh
> As flags S/SA is set by default, the above rules are equivalent



That seems to suggest that your rule would function exactly the same without flags S/SA, making it effectively an allow all in rule... Personally I see no reason to have allow in rules like this. You should only allow traffic in from hosts you want, or from any to services you want open to the world, and maybe an allow state rule to match state set by outbound connections.

Maybe I'm way off having never used pf but all the firewalls have similar syntax and it seems a very strange rule.


----------



## _martin (Mar 5, 2014)

usdmatt said:
			
		

> Maybe I'm way off having never used pf but all the firewalls have similar syntax and it seems a very strange rule.


You are correct. A bit simplified it is as you said - "pass in all". It seems to me like it should have been the "pass out" rule.


----------



## usdmatt (Mar 6, 2014)

Ah yes, it would make sense as an out rule. It's fairly common to allow all out, then keep state to allow any responses back through.


----------



## kpa (Mar 6, 2014)

This is one of the pecularities of PF. Any traffic that has the ip options field set in the packets will be passed if there's a pass rule that matches the traffic but it will be still logged even if there's no logging specified in the rule. The solution is to write the pass rules:


```
pass in all allow-opts
```


----------



## jnojr (Mar 6, 2014)

usdmatt said:
			
		

> You say you can't imagine how that rule matched but why did you add that rule to your firewall/what do you expect it to do? To me it seems to allow any inbound connection setup requests, then maintain state so further packets in the same connection are allowed



Crap.  I'm trying to say, "allow in any packets that are part of an already-established connection", like "allow ip from any to any established" for ipfw


----------



## _martin (Mar 6, 2014)

jnojr said:
			
		

> "allow in any packets that are part of an already-established connection"


That is done by implicit default keep state part of the rule.

*EDIT* to clarify: I meant pass in rule. For example: 

```
pass in quick proto tcp from any to $IP_PUB port 22 
pass out all
```
adds keep state and S/SA flags automatically. "In" rule above would become:

```
pass in quick inet proto tcp from any to 172.31.1.253 port = 22 flags S/SA keep state
```

Once the state is established (allowed by S/SA flags) related traffic to this connection is tracked and allowed.


----------

