From owner-freebsd-pf@FreeBSD.ORG Tue Mar 2 16:35:12 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 16C2510656BA for ; Tue, 2 Mar 2010 16:35:12 +0000 (UTC) (envelope-from Olivier.Thibault@lmpt.univ-tours.fr) Received: from mailhost.lmpt.univ-tours.fr (mailhost.lmpt.univ-tours.fr [193.52.212.1]) by mx1.freebsd.org (Postfix) with ESMTP id AC21B8FC3D for ; Tue, 2 Mar 2010 16:33:55 +0000 (UTC) Received: from mailhost.lmpt.univ-tours.fr (localhost [127.0.0.1]) by mailhost.lmpt.univ-tours.fr (Postfix) with ESMTP id C7428DB173 for ; Tue, 2 Mar 2010 17:33:53 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d= lmpt.univ-tours.fr; h=content-transfer-encoding:content-type :content-type:subject:subject:mime-version:user-agent:from:from :date:date:message-id:received:received; s=main; t=1267547631; bh=VMaGXE8jHJZcnCRyzWISxXMTO9Li+UId61JcfO4daeE=; b=ophNShnTYahD 4+geBLGyYTiBYpTSqvOWsBzEzhvJGUIQKH/tLYYxESBw5+fH/Z86BJpOKNPOHHwq aQMKajz3vYxIWb8FW7QVn3The4VPfg+E8pp//yCt3IzbwpRTdRjiBeJaqDq2mOPX k7CoBpIoI2PnqYpvldS1XhxXEol+3ZM= X-Virus-Scanned: amavisd-new at lmpt.univ-tours.fr Received: from mailhost.lmpt.univ-tours.fr ([127.0.0.1]) by mailhost.lmpt.univ-tours.fr (mailhost.lmpt.univ-tours.fr [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id gz-vudQ+5Nt5 for ; Tue, 2 Mar 2010 17:33:51 +0100 (CET) Received: from [10.68.5.128] (trinity.lmpt.priv [10.68.5.128]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mailhost.lmpt.univ-tours.fr (Postfix) with ESMTPSA id E8BEFDB144 for ; Tue, 2 Mar 2010 17:33:51 +0100 (CET) Message-ID: <4B8D3DEE.30802@lmpt.univ-tours.fr> Date: Tue, 02 Mar 2010 17:33:50 +0100 From: Olivier Thibault User-Agent: Thunderbird 2.0.0.23 (X11/20090817) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Subject: FIN packets blocked X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Mar 2010 16:35:12 -0000 Hello, I have a web server with apache+modproxy running FreeBSD 7.2-RELEASE-p7. I filter incoming and outgoing traffic with pf. I have some packets (about 20 per day) which are blocked and I don't unde= rstand why. My config is : Internet -> ServerA(modproxy) -> ServerB(apache). Here is the log for one blocked packet : 2010-03-02 15:40:29.573890 rule 7/0(match): block out on le0: serverA.622= 28 >=20 serverB.80: F 3525425568:3525425568(0) ack 459935989 win 8326 All logs are similar. Rule 7 is : block return out log all I have a rule allowing the traffic towards serverB : pass out quick on le0 inet proto tcp from serverA to serverB port =3D htt= p As the packet has the FIN flag, I change this rule to : pass out quick on le0 inet proto tcp from serverA to serverB port =3D htt= p flags=20 S/SA keep state (if-bound, tcp.finwait 90) but it doesn't change anything. I used tcpdump to dump all traffic between the 2 servers, and the convers= ation=20 outgoing from port 62228 (shown in the log of the blocked packet) ended a= t=20 15h22, and the packet is block at 15h40. I guess there is something I mis-understood, but I don't know what. Could you help me understand ? Best regards, --=20 Olivier THIBAULT Universit=E9 Fran=E7ois Rabelais - UFR Sciences et Techniques Laboratoire de Math=E9matiques et Physique Th=E9orique (UMR CNRS 6083) Service Informatique de l'UFR Parc de Grandmont 37200 Tours - France Email: olivier.thibault at lmpt.univ-tours.fr Tel: (33)(0)2 47 36 69 12 Fax: (33)(0)2 47 36 70 68 Mobile : (33)(0)6 62 60 80 44