From owner-freebsd-pf@FreeBSD.ORG  Sun Jan 26 23:19:36 2014
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id BE6532A0
 for <freebsd-pf@freebsd.org>; Sun, 26 Jan 2014 23:19:36 +0000 (UTC)
Received: from mail-ea0-x22c.google.com (mail-ea0-x22c.google.com
 [IPv6:2a00:1450:4013:c01::22c])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id 5AD8F1605
 for <freebsd-pf@freebsd.org>; Sun, 26 Jan 2014 23:19:36 +0000 (UTC)
Received: by mail-ea0-f172.google.com with SMTP id g15so1996872eak.17
 for <freebsd-pf@freebsd.org>; Sun, 26 Jan 2014 15:19:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:date:message-id:subject:from:to:content-type;
 bh=ID/E07j5RZGr5LvFzq0WHTX/pOMSHsdUtVwNZBzMX4U=;
 b=O6XhCz6nY82QbF0zeO/27BvP8CGvbFNXnfNbLWnuldafU6ORcgUI9l0KrPEnqZY7QR
 E1lnlMUjwnfzzyih09EUgFKQ7hO/jSWV9SsxAPtLrzhRkpCnr92iEUli3tgrC1YMpyDq
 ihsh9KS2ecdZcWtGhXHaVVGDi4qeprVttD/HFTwLAY2OKyqlIbm95RgZQUCHSXB28S+e
 CL1jTD/W/uILEmACu/n0BHxaJLzzyQg8pVxACOY3K0h+QIE565DEQ2rp9uvOC+Sfgsqc
 G2iWAafTFl7sdXJz/g0w4W6zFGDcutFrz5JTqFTdplD+XOL1FPr+w2coYvWg5KueyvgQ
 bL9A==
MIME-Version: 1.0
X-Received: by 10.15.50.201 with SMTP id l49mr95667eew.114.1390778374708; Sun,
 26 Jan 2014 15:19:34 -0800 (PST)
Received: by 10.15.102.76 with HTTP; Sun, 26 Jan 2014 15:19:34 -0800 (PST)
Date: Sun, 26 Jan 2014 18:19:34 -0500
Message-ID: <CA+QLa9D97WytnE2Yiy6VFXDrhcgLcpPGf2zB16urjf2Ms+rzFg@mail.gmail.com>
Subject: PF in FreeBSD 10.0 Blocking Some SSH
From: Robert Simmons <rsimmons0@gmail.com>
To: freebsd-pf@freebsd.org
Content-Type: text/plain; charset=UTF-8
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf/>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Jan 2014 23:19:36 -0000

Over the course of a few hours there are a handful of SSH packets that
are being blocked both in and out. This does not seem to affect the
SSH session, and all the blocked packets have certain flags set [FP.],
[R.], [P.], [.], [F.]. The following is my ruleset abbreviated to the
rules that apply to this problem:

ext_if = "en0"
allowed = "{ 192.168.1.10 }"
std_tcp_in = "{ ssh }"
block in log
block out log (user)
pass in quick on $ext_if proto tcp from $allowed to ($ext_if) port
$std_tcp_in keep state

Why are those packets being blocked?