freebsd stable - Jun 2011 - PF problem withpackets falling in block...

I want to just block few classes that must be blocked. It seems like 
it's partly working , but not all packets are accessible. And moreover I 
cannot connect from outside.
What is wrong? My FreeBSD is 7.3-Stable
my wan interface is vlan300 and vlan352 is for an user.
The rule for blocking is:
rule 28/0   block in log on vlan352 from 79.110.199.192/27 to <mynet>
rule 29/0   block in log on vlan352 from 79.110.199.192/27 to !<mynet>

I was trying also with: block in log on vlan352 from 79.110.199.192/27 
to any
instead of these 2 above
<mynet> contains adresses of my network: 79.110.192.0/20

Passing rules are:
pass quick from 79.110.199.199 to <mynet> keep state
pass in  quick on vlan352 from 79.110.199.199 to !<mynet> tag 
FROM79_110_199_199 queue 79_110_199_199D
pass out quick on vlan300 tagged FROM79_110_199_199 queue 79_110_199_199U
pass in  quick  on vlan300 from !<mynet> to 79.110.199.199 tag 
TO79_110_199_199 queue 79_110_199_199U
pass out quick on vlan352 tagged TO79_110_199_199 queue 79_110_199_199D


But still some packets are dropped

tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: listening on pflog0, link-type PFLOG (OpenBSD pflog file), 
capture size 96 bytes
rule 29/0(match): block in on vlan352: (tos 0x0, ttl 64, id 54312, 
offset 0, flags [DF], proto TCP (6), length 1500) 79.110.199.199.55073 > 
87.239.219.82.59291:  tcp 1480 [bad hdr length 0 - too short, < 20]
rule 29/0(match): block in on vlan352: (tos 0x0, ttl 64, id 56948, 
offset 0, flags [DF], proto TCP (6), length 1442) 79.110.199.199.55073 > 
80.229.149.80.55511:  tcp 1422 [bad hdr length 0 - too short, < 20]
rule 29/0(match): block in on vlan352: (tos 0x0, ttl 64, id 8242, offset 
0, flags [DF], proto TCP (6), length 40) 79.110.199.199.55073 > 
85.222.56.47.56705: [|tcp]
rule 29/0(match): block in on vlan352: (tos 0x0, ttl 64, id 8243, offset 
0, flags [DF], proto TCP (6), length 52) 79.110.199.199.55073 > 
85.222.56.47.56705: [|tcp]
rule 29/0(match): block in on vlan352: (tos 0x0, ttl 64, id 8244, offset 
0, flags [DF], proto TCP (6), length 52) 79.110.199.199.55073 > 
85.222.56.47.56705:  tcp 32 [bad hdr length 0 - too short, < 20]
rule 29/0(match): block in on vlan352: (tos 0x0, ttl 64, id 8245, offset 
0, flags [DF], proto TCP (6), length 52) 79.110.199.199.55073 > 
85.222.56.47.56705: [|tcp]
rule 29/0(match): block in on vlan352: (tos 0x0, ttl 64, id 8246, offset 
0, flags [DF], proto TCP (6), length 40) 79.110.199.199.55073 > 
85.222.56.47.56705: [|tcp]
rule 28/0(match): block in on vlan352: (tos 0x10, ttl 64, id 0, offset 
0, flags [DF], proto TCP (6), length 52) 79.110.199.199.55022 > 
79.110.194.135.43126: [|tcp]
rule 29/0(match): block in on vlan352: (tos 0x0, ttl 64, id 8247, offset 
0, flags [DF], proto TCP (6), length 52) 79.110.199.199.55073 > 
85.222.56.47.56705:  tcp 32 [bad hdr length 0 - too short, < 20]
rule 29/0(match): block in on vlan352: (tos 0x0, ttl 64, id 54313, 
offset 0, flags [DF], proto TCP (6), length 40) 79.110.199.199.55073 > 
87.239.219.82.59291: [|tcp]
rule 28/0(match): block in on vlan352: (tos 0x10, ttl 64, id 0, offset 
0, flags [DF], proto TCP (6), length 52) 79.110.199.199.55022 > 
79.110.194.135.43126: [|tcp]
rule 29/0(match): block in on vlan352: (tos 0x0, ttl 64, id 54314, 
offset 0, flags [DF], proto TCP (6), length 52) 79.110.199.199.55073 > 
87.239.219.82.59291: [|tcp]
rule 29/0(match): block in on vlan352: (tos 0x0, ttl 64, id 8248, offset 
0, flags [DF], proto TCP (6), length 52) 79.110.199.199.55073 > 
85.222.56.47.56705:  tcp 32 [bad hdr length 0 - too short, < 20]
rule 28/0(match): block in on vlan352: (tos 0x10, ttl 64, id 0, offset 
0, flags [DF], proto TCP (6), length 52) 79.110.199.199.55022 > 
79.110.194.135.43126: [|tcp]
rule 29/0(match): block in on vlan352: (tos 0x0, ttl 64, id 54315, 
offset 0, flags [DF], proto TCP (6), length 52) 79.110.199.199.55073 > 
87.239.219.82.59291: [|tcp]

-- 
Pozdrawiam,
Bartosz Woronicz, System Adminstrator,
mynet S.A.
ul. Nabyci?ska 19
53-677 Wroc?aw
NIP: 894-26-41-602
tel. 071-723-43-23
fax. 071-723-43-29

I put it in the wrong mailing list. Sorry for that.

W dniu 01.06.2011 14:18, Bartosz Woronicz pisze:
> I want to just block few classes that must be blocked. It seems like 
> it's partly working , but not all packets are accessible. And moreover 
> I cannot connect from outside.
> What is wrong? My FreeBSD is 7.3-Stable
> my wan interface is vlan300 and vlan352 is for an user.
> The rule for blocking is:
> rule 28/0   block in log on vlan352 from 79.110.199.192/27 to <mynet>
> rule 29/0   block in log on vlan352 from 79.110.199.192/27 to
!<mynet>
>
> I was trying also with: block in log on vlan352 from 79.110.199.192/27 
> to any
> instead of these 2 above
> <mynet> contains adresses of my network: 79.110.192.0/20
>
> Passing rules are:
> pass quick from 79.110.199.199 to <mynet> keep state
> pass in  quick on vlan352 from 79.110.199.199 to !<mynet> tag 
> FROM79_110_199_199 queue 79_110_199_199D
> pass out quick on vlan300 tagged FROM79_110_199_199 queue 79_110_199_199U
> pass in  quick  on vlan300 from !<mynet> to 79.110.199.199 tag 
> TO79_110_199_199 queue 79_110_199_199U
> pass out quick on vlan352 tagged TO79_110_199_199 queue 79_110_199_199D
>
>
> But still some packets are dropped
>
> tcpdump: WARNING: pflog0: no IPv4 address assigned
> tcpdump: listening on pflog0, link-type PFLOG (OpenBSD pflog file), 
> capture size 96 bytes
> rule 29/0(match): block in on vlan352: (tos 0x0, ttl 64, id 54312, 
> offset 0, flags [DF], proto TCP (6), length 1500) 79.110.199.199.55073 
> > 87.239.219.82.59291:  tcp 1480 [bad hdr length 0 - too short, < 20]
> rule 29/0(match): block in on vlan352: (tos 0x0, ttl 64, id 56948, 
> offset 0, flags [DF], proto TCP (6), length 1442) 79.110.199.199.55073 
> > 80.229.149.80.55511:  tcp 1422 [bad hdr length 0 - too short, < 20]
> rule 29/0(match): block in on vlan352: (tos 0x0, ttl 64, id 8242, 
> offset 0, flags [DF], proto TCP (6), length 40) 79.110.199.199.55073 > 
> 85.222.56.47.56705: [|tcp]
> rule 29/0(match): block in on vlan352: (tos 0x0, ttl 64, id 8243, 
> offset 0, flags [DF], proto TCP (6), length 52) 79.110.199.199.55073 > 
> 85.222.56.47.56705: [|tcp]
> rule 29/0(match): block in on vlan352: (tos 0x0, ttl 64, id 8244, 
> offset 0, flags [DF], proto TCP (6), length 52) 79.110.199.199.55073 > 
> 85.222.56.47.56705:  tcp 32 [bad hdr length 0 - too short, < 20]
> rule 29/0(match): block in on vlan352: (tos 0x0, ttl 64, id 8245, 
> offset 0, flags [DF], proto TCP (6), length 52) 79.110.199.199.55073 > 
> 85.222.56.47.56705: [|tcp]
> rule 29/0(match): block in on vlan352: (tos 0x0, ttl 64, id 8246, 
> offset 0, flags [DF], proto TCP (6), length 40) 79.110.199.199.55073 > 
> 85.222.56.47.56705: [|tcp]
> rule 28/0(match): block in on vlan352: (tos 0x10, ttl 64, id 0, offset 
> 0, flags [DF], proto TCP (6), length 52) 79.110.199.199.55022 > 
> 79.110.194.135.43126: [|tcp]
> rule 29/0(match): block in on vlan352: (tos 0x0, ttl 64, id 8247, 
> offset 0, flags [DF], proto TCP (6), length 52) 79.110.199.199.55073 > 
> 85.222.56.47.56705:  tcp 32 [bad hdr length 0 - too short, < 20]
> rule 29/0(match): block in on vlan352: (tos 0x0, ttl 64, id 54313, 
> offset 0, flags [DF], proto TCP (6), length 40) 79.110.199.199.55073 > 
> 87.239.219.82.59291: [|tcp]
> rule 28/0(match): block in on vlan352: (tos 0x10, ttl 64, id 0, offset 
> 0, flags [DF], proto TCP (6), length 52) 79.110.199.199.55022 > 
> 79.110.194.135.43126: [|tcp]
> rule 29/0(match): block in on vlan352: (tos 0x0, ttl 64, id 54314, 
> offset 0, flags [DF], proto TCP (6), length 52) 79.110.199.199.55073 > 
> 87.239.219.82.59291: [|tcp]
> rule 29/0(match): block in on vlan352: (tos 0x0, ttl 64, id 8248, 
> offset 0, flags [DF], proto TCP (6), length 52) 79.110.199.199.55073 > 
> 85.222.56.47.56705:  tcp 32 [bad hdr length 0 - too short, < 20]
> rule 28/0(match): block in on vlan352: (tos 0x10, ttl 64, id 0, offset 
> 0, flags [DF], proto TCP (6), length 52) 79.110.199.199.55022 > 
> 79.110.194.135.43126: [|tcp]
> rule 29/0(match): block in on vlan352: (tos 0x0, ttl 64, id 54315, 
> offset 0, flags [DF], proto TCP (6), length 52) 79.110.199.199.55073 > 
> 87.239.219.82.59291: [|tcp]
>

-- 
Pozdrawiam,
Bartosz Woronicz, System Adminstrator,
Korbank S.A.
ul. Nabyci?ska 19
53-677 Wroc?aw
NIP: 894-26-41-602
tel. 071-723-43-23
fax. 071-723-43-29