From owner-freebsd-pf@FreeBSD.ORG Mon Sep 8 15:40:41 2014 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C7677986 for ; Mon, 8 Sep 2014 15:40:41 +0000 (UTC) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id AE9991E64 for ; Mon, 8 Sep 2014 15:40:41 +0000 (UTC) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.14.9/8.14.9) with ESMTP id s88FefqC070714 for ; Mon, 8 Sep 2014 15:40:41 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 163208] [pf] PF state key linking mismatch Date: Mon, 08 Sep 2014 15:40:41 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: dvl@FreeBSD.org X-Bugzilla-Status: In Discussion X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc bug_severity Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Sep 2014 15:40:41 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=163208 Dan Langille changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dvl@FreeBSD.org Severity|Affects Only Me |Affects Some People --- Comment #17 from Dan Langille --- This situation persists in FreeBSD 9.3-RELEASE -- You are receiving this mail because: You are the assignee for the bug. From owner-freebsd-pf@FreeBSD.ORG Sat Sep 13 19:52:42 2014 Return-Path: Delivered-To: pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8078A3D9 for ; Sat, 13 Sep 2014 19:52:42 +0000 (UTC) Received: from mail-wg0-x22f.google.com (mail-wg0-x22f.google.com [IPv6:2a00:1450:400c:c00::22f]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 008A6196 for ; Sat, 13 Sep 2014 19:52:41 +0000 (UTC) Received: by mail-wg0-f47.google.com with SMTP id y10so2184655wgg.18 for ; Sat, 13 Sep 2014 12:52:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject :content-type; bh=pyqDWrVyYo/FhFWamFrxBXx/BebzjGETG1gBdVVC6G8=; b=hCJu5jRWrDcogbPhorqDW5FhtFBz4yDHE5NGl0IiOjAXUgqg5EhDL1Cdaop5nytmD3 ASwU/mV8IIU4xqiFmVfUJnaqYo1Pw0lcEKYcjkf1kVF2MsjTxDNUHb32RNbr06hVliPl 0r2i+8oB3UiXBboTJG0Us1DcuG74gTI0HnO9xqevCySRdlne7JpbyjAKj8u8xw+swPpq NkH+ZtXlU+C9Y5ZHql4UjT+hfukmgvrvjOW+/SOEY6pREJrjzauRO8qMi9G+Y0Y6bJxx o71vrVS9ZYizuWKrGv6KDJfOudyNFwwASteS3vIDvttI6VIJHw/VY+DtUaAPL8ZlO0AK SdeA== X-Received: by 10.194.184.166 with SMTP id ev6mr21023513wjc.61.1410637959829; Sat, 13 Sep 2014 12:52:39 -0700 (PDT) Received: from t510.bsoft-company.ro (ip5450aabf.adsl-surfen.hetnet.nl. [84.80.170.191]) by mx.google.com with ESMTPSA id wr8sm8761250wjb.20.2014.09.13.12.52.38 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 13 Sep 2014 12:52:39 -0700 (PDT) Message-ID: <5414A086.5020608@gmail.com> Date: Sat, 13 Sep 2014 21:52:38 +0200 From: Andrei Brezan User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Thunderbird/31.0 MIME-Version: 1.0 To: pf@freebsd.org Subject: pf firewall blocking packets with a pass rule in place Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Sep 2014 19:52:42 -0000 Hi, I have some odd behaviour on one network which has a pf gateway firewall. This is from a tcpdump on pflog on the firewall, 1.2.3.4 is my remote address, 5.6.7.8 is the pf firewall, 10.0.0.252 is an OpenVPN server (tap) behind the firewall, 10.0.0.250 is my mail server: 20:45:26.682551 rule 32..16777216/0(match): pass out on vlan333: 1.2.3.4.61384 > 10.0.0.252.1194: UDP, length 14 20:46:36.230485 rule 35..16777216/0(match): pass out on vlan333: 1.2.3.4.57412 > 10.0.0.250.80: Flags [S], seq 1335812154, win 65535, options [mss 1440,nop,wscale 6,sackOK,TS val 687134035 ecr 0], length 0 20:46:36.244606 rule 35..16777216/0(match): pass out on vlan333: 1.2.3.4.53156 > 10.0.0.250.443: Flags [S], seq 3626719163, win 65535, options [mss 1440,nop,wscale 6,sackOK,TS val 3971340937 ecr 0], length 0 20:52:28.494174 rule 35..16777216/0(match): pass out on vlan333: 1.2.3.4.51684 > 10.0.0.250.993: Flags [S], seq 3306743615, win 65535, options [mss 1440,nop,wscale 6,sackOK,TS val 2707206732 ecr 0], length 0 20:52:30.650788 rule 35..16777216/0(match): pass out on vlan333: 1.2.3.4.59297 > 10.0.0.250.993: Flags [S], seq 4090099168, win 65535, options [mss 1440,nop,wscale 6,sackOK,TS val 2986073365 ecr 0], length 0 20:57:27.585665 rule 35..16777216/0(match): pass out on vlan333: 1.2.3.4.50367 > 10.0.0.250.80: Flags [S], seq 920232625, win 65535, options [mss 1440,nop,wscale 6,sackOK,TS val 809211507 ecr 0], length 0 20:57:27.599151 rule 35..16777216/0(match): pass out on vlan333: 1.2.3.4.54013 > 10.0.0.250.443: Flags [S], seq 281501721, win 65535, options [mss 1440,nop,wscale 6,sackOK,TS val 1810969707 ecr 0], length 0 21:01:13.826452 rule 35..16777216/0(match): pass out on vlan333: 1.2.3.4.64792 > 10.0.0.250.25: Flags [S], seq 1871587187, win 65535, options [mss 1440,nop,wscale 6,sackOK,TS val 1261752165 ecr 0], length 0 21:03:16.371844 rule 0..16777216/0(match): block out on vlan333: 1.2.3.4.54922 > 10.0.0.250.993: Flags [P.], seq 3402837478:3402837515, ack 2361346111, win 1026, options [nop,nop,TS val 5284083 ecr 52159031], length 37 21:03:16.372008 rule 0..16777216/0(match): block out on vlan333: 1.2.3.4.54922 > 10.0.0.250.993: Flags [F.], seq 37, ack 1, win 1026, options [nop,nop,TS val 5284083 ecr 52159031], length 0 21:03:16.373308 rule 35..16777216/0(match): pass out on vlan333: 1.2.3.4.54156 > 10.0.0.250.993: Flags [S], seq 3275327108, win 65535, options [mss 1440,nop,wscale 6,sackOK,TS val 2062181022 ecr 0], length 0 21:03:16.615875 rule 0..16777216/0(match): block out on vlan333: 1.2.3.4.54922 > 10.0.0.250.993: Flags [FP.], seq 0:37, ack 1, win 1026, options [nop,nop,TS val 5284327 ecr 52159031], length 37 21:03:16.891824 rule 0..16777216/0(match): block out on vlan333: 1.2.3.4.54922 > 10.0.0.250.993: Flags [FP.], seq 0:37, ack 1, win 1026, options [nop,nop,TS val 5284603 ecr 52159031], length 37 21:03:17.231604 rule 0..16777216/0(match): block out on vlan333: 1.2.3.4.54922 > 10.0.0.250.993: Flags [FP.], seq 0:37, ack 1, win 1026, options [nop,nop,TS val 5284943 ecr 52159031], length 37 21:03:17.685793 rule 0..16777216/0(match): block out on vlan333: 1.2.3.4.54922 > 10.0.0.250.993: Flags [FP.], seq 0:37, ack 1, win 1026, options [nop,nop,TS val 5285397 ecr 52159031], length 37 21:03:18.408137 rule 0..16777216/0(match): block out on vlan333: 1.2.3.4.54922 > 10.0.0.250.993: Flags [FP.], seq 0:37, ack 1, win 1026, options [nop,nop,TS val 5286119 ecr 52159031], length 37 21:03:19.583723 rule 0..16777216/0(match): block out on vlan333: 1.2.3.4.54922 > 10.0.0.250.993: Flags [FP.], seq 0:37, ack 1, win 1026, options [nop,nop,TS val 5287295 ecr 52159031], length 37 21:03:21.713816 rule 0..16777216/0(match): block out on vlan333: 1.2.3.4.54922 > 10.0.0.250.993: Flags [FP.], seq 0:37, ack 1, win 1026, options [nop,nop,TS val 5289425 ecr 52159031], length 37 21:03:25.766916 rule 0..16777216/0(match): block out on vlan333: 1.2.3.4.54922 > 10.0.0.250.993: Flags [FP.], seq 0:37, ack 1, win 1026, options [nop,nop,TS val 5293478 ecr 52159031], length 37 21:03:33.679722 rule 0..16777216/0(match): block out on vlan333: 1.2.3.4.54922 > 10.0.0.250.993: Flags [FP.], seq 0:37, ack 1, win 1026, options [nop,nop,TS val 5301391 ecr 52159031], length 37 21:03:49.240190 rule 0..16777216/0(match): block out on vlan333: 1.2.3.4.54922 > 10.0.0.250.993: Flags [FP.], seq 0:37, ack 1, win 1026, options [nop,nop,TS val 5316951 ecr 52159031], length 37 21:04:04.821702 rule 0..16777216/0(match): block out on vlan333: 1.2.3.4.54922 > 10.0.0.250.993: Flags [FP.], seq 0:37, ack 1, win 1026, options [nop,nop,TS val 5332533 ecr 52159031], length 37 21:04:20.382912 rule 0..16777216/0(match): block out on vlan333: 1.2.3.4.54922 > 10.0.0.250.993: Flags [FP.], seq 0:37, ack 1, win 1026, options [nop,nop,TS val 5348094 ecr 52159031], length 37 21:04:35.947297 rule 0..16777216/0(match): block out on vlan333: 1.2.3.4.54922 > 10.0.0.250.993: Flags [R.], seq 38, ack 1, win 1026, options [nop,nop,TS val 5363658 ecr 52159031], length 0 21:38:41.708989 rule 32..16777216/0(match): pass out on igb0: 5.6.7.8.54206 > 1.2.3.4.61384: UDP, length 101 21:40:11.470576 rule 35..16777216/0(match): pass out on vlan333: 1.2.3.4.58407 > 10.0.0.250.993: Flags [S], seq 3179386733, win 65535, options [mss 1440,nop,wscale 6,sackOK,TS val 3544878749 ecr 0], length 0 21:41:10.356274 rule 0..16777216/0(match): block out on igb0: 5.6.7.8.63184 > 1.2.3.4.58407: Flags [R.], seq 542623300, ack 3179387863, win 0, length 0 21:42:42.139787 rule 35..16777216/0(match): pass out on vlan333: 1.2.3.4.58246 > 10.0.0.250.993: Flags [S], seq 2033854095, win 65535, options [mss 1440,nop,wscale 6,sackOK,TS val 2222918259 ecr 0], length 0 21:42:58.173371 rule 0..16777216/0(match): block out on igb0: 5.6.7.8.55938 > 1.2.3.4.58246: Flags [P.], seq 1671786524:1671786577, ack 2033855225, win 252, options [nop,nop,TS val 52409345 ecr 7663492], length 53 21:43:01.035543 rule 0..16777216/0(match): block out on igb0: 5.6.7.8.62485 > 1.2.3.4.51684: Flags [R.], seq 1560010735, ack 3306749941, win 0, length 0 21:43:43.457948 rule 32..16777216/0(match): pass out on vlan333: 1.2.3.4.61028 > 192.168.0.252.1194: UDP, length 14 21:43:51.279156 rule 32..16777216/0(match): pass out on igb0: 5.6.7.8.64507 > 1.2.3.4.61028: UDP, length 101 21:44:42.074698 rule 35..16777216/0(match): pass out on vlan333: 1.2.3.4.57041 > 10.0.0.250.993: Flags [S], seq 3652350806, win 65535, options [mss 1440,nop,wscale 6,sackOK,TS val 2369373378 ecr 0], length 0 21:45:11.441957 rule 0..16777216/0(match): block in on vlan333: 10.0.0.250.993 > 1.2.3.4.54156: Flags [.], seq 2259431444:2259431445, ack 3275340784, win 255, length 1 I really don't understand why are these packages blocked. I'm experiencing intermittent and random connection loss, what's really odd, happens mostly during the evening or night, plus I don't see the pass in pflog for the established state, after this round of blocked packets I am still able to connect to the IMAPs server: % sudo pfctl -vvs state | grep -A 3 -E "1.2.3.4.*993" No ALTQ support in kernel ALTQ related functions disabled all tcp 1.2.3.4:59297 -> 10.0.0.250:993 ESTABLISHED:ESTABLISHED [4090185320 + 65054] wscale 6 [521715590 + 65664] wscale 8 age 00:43:22, expires in 23:58:49, 1341:1208 pkts, 155891:390868 bytes, rule 35 id: 0300000053fe8341 creatorid: d8aa2c51 -- all tcp 1.2.3.4:54106 -> 10.0.0.250:993 ESTABLISHED:ESTABLISHED [2304345867 + 65536] wscale 6 [3058330740 + 65664] wscale 8 age 01:39:27, expires in 23:58:45, 197:161 pkts, 22303:35201 bytes, rule 35 id: 0000000053fe91c7 creatorid: d8aa2c51 -- all tcp 1.2.3.4:51684 -> 10.0.0.250:993 ESTABLISHED:ESTABLISHED [3306749755 + 64806] wscale 6 [1560010681 + 65664] wscale 8 age 00:43:24, expires in 23:37:21, 163:285 pkts, 14623:190269 bytes, rule 35 id: 0000000053fe9440 creatorid: d8aa2c51 -- all tcp 1.2.3.4:54156 -> 10.0.0.250:993 ESTABLISHED:ESTABLISHED [3275340128 + 64626] wscale 6 [2259430819 + 65664] wscale 8 age 00:32:36, expires in 24:00:00, 374:490 pkts, 32475:273389 bytes, rule 35 id: 0000000053fe944f creatorid: d8aa2c51 % sudo pfctl -vvs state | grep -A 3 -E "993.*1.2.3.4" No ALTQ support in kernel ALTQ related functions disabled all tcp 10.0.0.250:993 (5.6.7.8:993) <- 1.2.3.4:59297 ESTABLISHED:ESTABLISHED [521721120 + 65664] wscale 8 [4090191500 + 64828] wscale 6 age 00:44:12, expires in 23:59:55, 1429:1274 pkts, 166647:399830 bytes id: 0300000053fe8340 creatorid: d8aa2c51 -- all tcp 10.0.0.250:993 (5.6.7.8:993) <- 1.2.3.4:54106 ESTABLISHED:ESTABLISHED [3058330915 + 1026] [2304346089 + 255] age 00:51:21, expires in 23:59:51, 71:53 pkts, 7588:5901 bytes id: 0000000053fe9427 creatorid: d8aa2c51 all tcp 10.0.0.250:993 (5.6.7.8:993) <- 1.2.3.4:51684 ESTABLISHED:ESTABLISHED [1560010681 + 65664] wscale 8 [3306749755 + 64806] wscale 6 age 00:44:14, expires in 23:36:31, 163:285 pkts, 14623:190269 bytes id: 0000000053fe943f creatorid: d8aa2c51 -- all tcp 10.0.0.250:993 (5.6.7.8:993) <- 1.2.3.4:54156 ESTABLISHED:ESTABLISHED [2259430819 + 65664] wscale 8 [3275340128 + 64626] wscale 6 age 00:33:26, expires in 23:59:10, 374:490 pkts, 32475:273389 bytes id: 0000000053fe944e creatorid: d8aa2c51 Anyone has any idea what might be amiss here? What can I look into? I hope someone with more pf and TCP knowledge than me can shed some light. Thank you, -- Andrei From owner-freebsd-pf@FreeBSD.ORG Sat Sep 13 20:02:43 2014 Return-Path: Delivered-To: pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B0521794 for ; Sat, 13 Sep 2014 20:02:43 +0000 (UTC) Received: from mail-wi0-x235.google.com (mail-wi0-x235.google.com [IPv6:2a00:1450:400c:c05::235]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 304DB264 for ; Sat, 13 Sep 2014 20:02:43 +0000 (UTC) Received: by mail-wi0-f181.google.com with SMTP id bs8so2310500wib.14 for ; Sat, 13 Sep 2014 13:02:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type; bh=66sE+Ell0BIG1zUAWqPfTNcNjarKhSRmD3JphIzhWxc=; b=SXkhdAHTBAidXWgobs++vj4YAqlgbsNNduitLe7DN470smOJEyg8WTBoxnVsVmb9nI DJRNfFSYH20ITD1MZ6uEk8HmSZMhYQkPorU+GDCcd2TZxtXsdyzPjrEp5ieKyReAxy2k K5bUjI2rEsneshpRlSec20JIT7b2kHrbqpu6OaoGClE8ESTVTEMymB1vTvVNH/6k/tzh rJZoD98B8frqQTwm0G5pxSrA/GaQLPDkTFThwouS7UaZDW5YptECTzPrYg3yUdc19xXw TLHRePMnQ9PxVFjPx4Ml6tK7RKUvi1RLSlULGzE6I+xKQokEEz/NPs8asEV8WbLXjmBZ hdAw== X-Received: by 10.180.9.144 with SMTP id z16mr12669411wia.26.1410638560324; Sat, 13 Sep 2014 13:02:40 -0700 (PDT) Received: from t510.bsoft-company.ro (ip5450aabf.adsl-surfen.hetnet.nl. [84.80.170.191]) by mx.google.com with ESMTPSA id r8sm8804691wjx.5.2014.09.13.13.02.39 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 13 Sep 2014 13:02:39 -0700 (PDT) Message-ID: <5414A2DE.9020307@gmail.com> Date: Sat, 13 Sep 2014 22:02:38 +0200 From: Andrei Brezan User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Thunderbird/31.0 MIME-Version: 1.0 To: pf@freebsd.org Subject: Re: pf firewall blocking packets with a pass rule in place References: <5414A086.5020608@gmail.com> In-Reply-To: <5414A086.5020608@gmail.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Sep 2014 20:02:43 -0000 On 09/13/14 21:52, Andrei Brezan wrote: > Hi, > Forgot to mention, this is on 10.0-RELEASE-p7. > I have some odd behaviour on one network which has a pf gateway > firewall. This is from a tcpdump on pflog on the firewall, 1.2.3.4 is > my remote address, 5.6.7.8 is the pf firewall, 10.0.0.252 is an > OpenVPN server (tap) behind the firewall, 10.0.0.250 is my mail server: > > 20:45:26.682551 rule 32..16777216/0(match): pass out on vlan333: > 1.2.3.4.61384 > 10.0.0.252.1194: UDP, length 14 > 20:46:36.230485 rule 35..16777216/0(match): pass out on vlan333: > 1.2.3.4.57412 > 10.0.0.250.80: Flags [S], seq 1335812154, win 65535, > options [mss 1440,nop,wscale 6,sackOK,TS val 687134035 ecr 0], length 0 > 20:46:36.244606 rule 35..16777216/0(match): pass out on vlan333: > 1.2.3.4.53156 > 10.0.0.250.443: Flags [S], seq 3626719163, win 65535, > options [mss 1440,nop,wscale 6,sackOK,TS val 3971340937 ecr 0], length 0 > 20:52:28.494174 rule 35..16777216/0(match): pass out on vlan333: > 1.2.3.4.51684 > 10.0.0.250.993: Flags [S], seq 3306743615, win 65535, > options [mss 1440,nop,wscale 6,sackOK,TS val 2707206732 ecr 0], length 0 > 20:52:30.650788 rule 35..16777216/0(match): pass out on vlan333: > 1.2.3.4.59297 > 10.0.0.250.993: Flags [S], seq 4090099168, win 65535, > options [mss 1440,nop,wscale 6,sackOK,TS val 2986073365 ecr 0], length 0 > 20:57:27.585665 rule 35..16777216/0(match): pass out on vlan333: > 1.2.3.4.50367 > 10.0.0.250.80: Flags [S], seq 920232625, win 65535, > options [mss 1440,nop,wscale 6,sackOK,TS val 809211507 ecr 0], length 0 > 20:57:27.599151 rule 35..16777216/0(match): pass out on vlan333: > 1.2.3.4.54013 > 10.0.0.250.443: Flags [S], seq 281501721, win 65535, > options [mss 1440,nop,wscale 6,sackOK,TS val 1810969707 ecr 0], length 0 > 21:01:13.826452 rule 35..16777216/0(match): pass out on vlan333: > 1.2.3.4.64792 > 10.0.0.250.25: Flags [S], seq 1871587187, win 65535, > options [mss 1440,nop,wscale 6,sackOK,TS val 1261752165 ecr 0], length 0 > 21:03:16.371844 rule 0..16777216/0(match): block out on vlan333: > 1.2.3.4.54922 > 10.0.0.250.993: Flags [P.], seq 3402837478:3402837515, > ack 2361346111, win 1026, options [nop,nop,TS val 5284083 ecr > 52159031], length 37 > 21:03:16.372008 rule 0..16777216/0(match): block out on vlan333: > 1.2.3.4.54922 > 10.0.0.250.993: Flags [F.], seq 37, ack 1, win 1026, > options [nop,nop,TS val 5284083 ecr 52159031], length 0 > 21:03:16.373308 rule 35..16777216/0(match): pass out on vlan333: > 1.2.3.4.54156 > 10.0.0.250.993: Flags [S], seq 3275327108, win 65535, > options [mss 1440,nop,wscale 6,sackOK,TS val 2062181022 ecr 0], length 0 > 21:03:16.615875 rule 0..16777216/0(match): block out on vlan333: > 1.2.3.4.54922 > 10.0.0.250.993: Flags [FP.], seq 0:37, ack 1, win > 1026, options [nop,nop,TS val 5284327 ecr 52159031], length 37 > 21:03:16.891824 rule 0..16777216/0(match): block out on vlan333: > 1.2.3.4.54922 > 10.0.0.250.993: Flags [FP.], seq 0:37, ack 1, win > 1026, options [nop,nop,TS val 5284603 ecr 52159031], length 37 > 21:03:17.231604 rule 0..16777216/0(match): block out on vlan333: > 1.2.3.4.54922 > 10.0.0.250.993: Flags [FP.], seq 0:37, ack 1, win > 1026, options [nop,nop,TS val 5284943 ecr 52159031], length 37 > 21:03:17.685793 rule 0..16777216/0(match): block out on vlan333: > 1.2.3.4.54922 > 10.0.0.250.993: Flags [FP.], seq 0:37, ack 1, win > 1026, options [nop,nop,TS val 5285397 ecr 52159031], length 37 > 21:03:18.408137 rule 0..16777216/0(match): block out on vlan333: > 1.2.3.4.54922 > 10.0.0.250.993: Flags [FP.], seq 0:37, ack 1, win > 1026, options [nop,nop,TS val 5286119 ecr 52159031], length 37 > 21:03:19.583723 rule 0..16777216/0(match): block out on vlan333: > 1.2.3.4.54922 > 10.0.0.250.993: Flags [FP.], seq 0:37, ack 1, win > 1026, options [nop,nop,TS val 5287295 ecr 52159031], length 37 > 21:03:21.713816 rule 0..16777216/0(match): block out on vlan333: > 1.2.3.4.54922 > 10.0.0.250.993: Flags [FP.], seq 0:37, ack 1, win > 1026, options [nop,nop,TS val 5289425 ecr 52159031], length 37 > 21:03:25.766916 rule 0..16777216/0(match): block out on vlan333: > 1.2.3.4.54922 > 10.0.0.250.993: Flags [FP.], seq 0:37, ack 1, win > 1026, options [nop,nop,TS val 5293478 ecr 52159031], length 37 > 21:03:33.679722 rule 0..16777216/0(match): block out on vlan333: > 1.2.3.4.54922 > 10.0.0.250.993: Flags [FP.], seq 0:37, ack 1, win > 1026, options [nop,nop,TS val 5301391 ecr 52159031], length 37 > 21:03:49.240190 rule 0..16777216/0(match): block out on vlan333: > 1.2.3.4.54922 > 10.0.0.250.993: Flags [FP.], seq 0:37, ack 1, win > 1026, options [nop,nop,TS val 5316951 ecr 52159031], length 37 > 21:04:04.821702 rule 0..16777216/0(match): block out on vlan333: > 1.2.3.4.54922 > 10.0.0.250.993: Flags [FP.], seq 0:37, ack 1, win > 1026, options [nop,nop,TS val 5332533 ecr 52159031], length 37 > 21:04:20.382912 rule 0..16777216/0(match): block out on vlan333: > 1.2.3.4.54922 > 10.0.0.250.993: Flags [FP.], seq 0:37, ack 1, win > 1026, options [nop,nop,TS val 5348094 ecr 52159031], length 37 > 21:04:35.947297 rule 0..16777216/0(match): block out on vlan333: > 1.2.3.4.54922 > 10.0.0.250.993: Flags [R.], seq 38, ack 1, win 1026, > options [nop,nop,TS val 5363658 ecr 52159031], length 0 > 21:38:41.708989 rule 32..16777216/0(match): pass out on igb0: > 5.6.7.8.54206 > 1.2.3.4.61384: UDP, length 101 > 21:40:11.470576 rule 35..16777216/0(match): pass out on vlan333: > 1.2.3.4.58407 > 10.0.0.250.993: Flags [S], seq 3179386733, win 65535, > options [mss 1440,nop,wscale 6,sackOK,TS val 3544878749 ecr 0], length 0 > 21:41:10.356274 rule 0..16777216/0(match): block out on igb0: > 5.6.7.8.63184 > 1.2.3.4.58407: Flags [R.], seq 542623300, ack > 3179387863, win 0, length 0 > 21:42:42.139787 rule 35..16777216/0(match): pass out on vlan333: > 1.2.3.4.58246 > 10.0.0.250.993: Flags [S], seq 2033854095, win 65535, > options [mss 1440,nop,wscale 6,sackOK,TS val 2222918259 ecr 0], length 0 > 21:42:58.173371 rule 0..16777216/0(match): block out on igb0: > 5.6.7.8.55938 > 1.2.3.4.58246: Flags [P.], seq 1671786524:1671786577, > ack 2033855225, win 252, options [nop,nop,TS val 52409345 ecr > 7663492], length 53 > 21:43:01.035543 rule 0..16777216/0(match): block out on igb0: > 5.6.7.8.62485 > 1.2.3.4.51684: Flags [R.], seq 1560010735, ack > 3306749941, win 0, length 0 > 21:43:43.457948 rule 32..16777216/0(match): pass out on vlan333: > 1.2.3.4.61028 > 192.168.0.252.1194: UDP, length 14 > 21:43:51.279156 rule 32..16777216/0(match): pass out on igb0: > 5.6.7.8.64507 > 1.2.3.4.61028: UDP, length 101 > 21:44:42.074698 rule 35..16777216/0(match): pass out on vlan333: > 1.2.3.4.57041 > 10.0.0.250.993: Flags [S], seq 3652350806, win 65535, > options [mss 1440,nop,wscale 6,sackOK,TS val 2369373378 ecr 0], length 0 > 21:45:11.441957 rule 0..16777216/0(match): block in on vlan333: > 10.0.0.250.993 > 1.2.3.4.54156: Flags [.], seq 2259431444:2259431445, > ack 3275340784, win 255, length 1 > > I really don't understand why are these packages blocked. I'm > experiencing intermittent and random connection loss, what's really > odd, happens mostly during the evening or night, plus I don't see the > pass in pflog for the established state, after this round of blocked > packets I am still able to connect to the IMAPs server: > > % sudo pfctl -vvs state | grep -A 3 -E "1.2.3.4.*993" > No ALTQ support in kernel > ALTQ related functions disabled > all tcp 1.2.3.4:59297 -> 10.0.0.250:993 ESTABLISHED:ESTABLISHED > [4090185320 + 65054] wscale 6 [521715590 + 65664] wscale 8 > age 00:43:22, expires in 23:58:49, 1341:1208 pkts, 155891:390868 > bytes, rule 35 > id: 0300000053fe8341 creatorid: d8aa2c51 > -- > all tcp 1.2.3.4:54106 -> 10.0.0.250:993 ESTABLISHED:ESTABLISHED > [2304345867 + 65536] wscale 6 [3058330740 + 65664] wscale 8 > age 01:39:27, expires in 23:58:45, 197:161 pkts, 22303:35201 bytes, > rule 35 > id: 0000000053fe91c7 creatorid: d8aa2c51 > -- > all tcp 1.2.3.4:51684 -> 10.0.0.250:993 ESTABLISHED:ESTABLISHED > [3306749755 + 64806] wscale 6 [1560010681 + 65664] wscale 8 > age 00:43:24, expires in 23:37:21, 163:285 pkts, 14623:190269 > bytes, rule 35 > id: 0000000053fe9440 creatorid: d8aa2c51 > -- > all tcp 1.2.3.4:54156 -> 10.0.0.250:993 ESTABLISHED:ESTABLISHED > [3275340128 + 64626] wscale 6 [2259430819 + 65664] wscale 8 > age 00:32:36, expires in 24:00:00, 374:490 pkts, 32475:273389 > bytes, rule 35 > id: 0000000053fe944f creatorid: d8aa2c51 > > % sudo pfctl -vvs state | grep -A 3 -E "993.*1.2.3.4" > No ALTQ support in kernel > ALTQ related functions disabled > all tcp 10.0.0.250:993 (5.6.7.8:993) <- 1.2.3.4:59297 > ESTABLISHED:ESTABLISHED > [521721120 + 65664] wscale 8 [4090191500 + 64828] wscale 6 > age 00:44:12, expires in 23:59:55, 1429:1274 pkts, 166647:399830 bytes > id: 0300000053fe8340 creatorid: d8aa2c51 > -- > all tcp 10.0.0.250:993 (5.6.7.8:993) <- 1.2.3.4:54106 > ESTABLISHED:ESTABLISHED > [3058330915 + 1026] [2304346089 + 255] > age 00:51:21, expires in 23:59:51, 71:53 pkts, 7588:5901 bytes > id: 0000000053fe9427 creatorid: d8aa2c51 > all tcp 10.0.0.250:993 (5.6.7.8:993) <- 1.2.3.4:51684 > ESTABLISHED:ESTABLISHED > [1560010681 + 65664] wscale 8 [3306749755 + 64806] wscale 6 > age 00:44:14, expires in 23:36:31, 163:285 pkts, 14623:190269 bytes > id: 0000000053fe943f creatorid: d8aa2c51 > -- > all tcp 10.0.0.250:993 (5.6.7.8:993) <- 1.2.3.4:54156 > ESTABLISHED:ESTABLISHED > [2259430819 + 65664] wscale 8 [3275340128 + 64626] wscale 6 > age 00:33:26, expires in 23:59:10, 374:490 pkts, 32475:273389 bytes > id: 0000000053fe944e creatorid: d8aa2c51 > > Anyone has any idea what might be amiss here? What can I look into? I > hope someone with more pf and TCP knowledge than me can shed some light. > > Thank you, > -- > Andrei -- Andrei