Date: Sat, 13 Sep 2014 22:02:38 +0200 From: Andrei Brezan <andrei693@gmail.com> To: pf@freebsd.org Subject: Re: pf firewall blocking packets with a pass rule in place Message-ID: <5414A2DE.9020307@gmail.com> In-Reply-To: <5414A086.5020608@gmail.com> References: <5414A086.5020608@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 09/13/14 21:52, Andrei Brezan wrote: > Hi, > Forgot to mention, this is on 10.0-RELEASE-p7. > I have some odd behaviour on one network which has a pf gateway > firewall. This is from a tcpdump on pflog on the firewall, 1.2.3.4 is > my remote address, 5.6.7.8 is the pf firewall, 10.0.0.252 is an > OpenVPN server (tap) behind the firewall, 10.0.0.250 is my mail server: > > 20:45:26.682551 rule 32..16777216/0(match): pass out on vlan333: > 1.2.3.4.61384 > 10.0.0.252.1194: UDP, length 14 > 20:46:36.230485 rule 35..16777216/0(match): pass out on vlan333: > 1.2.3.4.57412 > 10.0.0.250.80: Flags [S], seq 1335812154, win 65535, > options [mss 1440,nop,wscale 6,sackOK,TS val 687134035 ecr 0], length 0 > 20:46:36.244606 rule 35..16777216/0(match): pass out on vlan333: > 1.2.3.4.53156 > 10.0.0.250.443: Flags [S], seq 3626719163, win 65535, > options [mss 1440,nop,wscale 6,sackOK,TS val 3971340937 ecr 0], length 0 > 20:52:28.494174 rule 35..16777216/0(match): pass out on vlan333: > 1.2.3.4.51684 > 10.0.0.250.993: Flags [S], seq 3306743615, win 65535, > options [mss 1440,nop,wscale 6,sackOK,TS val 2707206732 ecr 0], length 0 > 20:52:30.650788 rule 35..16777216/0(match): pass out on vlan333: > 1.2.3.4.59297 > 10.0.0.250.993: Flags [S], seq 4090099168, win 65535, > options [mss 1440,nop,wscale 6,sackOK,TS val 2986073365 ecr 0], length 0 > 20:57:27.585665 rule 35..16777216/0(match): pass out on vlan333: > 1.2.3.4.50367 > 10.0.0.250.80: Flags [S], seq 920232625, win 65535, > options [mss 1440,nop,wscale 6,sackOK,TS val 809211507 ecr 0], length 0 > 20:57:27.599151 rule 35..16777216/0(match): pass out on vlan333: > 1.2.3.4.54013 > 10.0.0.250.443: Flags [S], seq 281501721, win 65535, > options [mss 1440,nop,wscale 6,sackOK,TS val 1810969707 ecr 0], length 0 > 21:01:13.826452 rule 35..16777216/0(match): pass out on vlan333: > 1.2.3.4.64792 > 10.0.0.250.25: Flags [S], seq 1871587187, win 65535, > options [mss 1440,nop,wscale 6,sackOK,TS val 1261752165 ecr 0], length 0 > 21:03:16.371844 rule 0..16777216/0(match): block out on vlan333: > 1.2.3.4.54922 > 10.0.0.250.993: Flags [P.], seq 3402837478:3402837515, > ack 2361346111, win 1026, options [nop,nop,TS val 5284083 ecr > 52159031], length 37 > 21:03:16.372008 rule 0..16777216/0(match): block out on vlan333: > 1.2.3.4.54922 > 10.0.0.250.993: Flags [F.], seq 37, ack 1, win 1026, > options [nop,nop,TS val 5284083 ecr 52159031], length 0 > 21:03:16.373308 rule 35..16777216/0(match): pass out on vlan333: > 1.2.3.4.54156 > 10.0.0.250.993: Flags [S], seq 3275327108, win 65535, > options [mss 1440,nop,wscale 6,sackOK,TS val 2062181022 ecr 0], length 0 > 21:03:16.615875 rule 0..16777216/0(match): block out on vlan333: > 1.2.3.4.54922 > 10.0.0.250.993: Flags [FP.], seq 0:37, ack 1, win > 1026, options [nop,nop,TS val 5284327 ecr 52159031], length 37 > 21:03:16.891824 rule 0..16777216/0(match): block out on vlan333: > 1.2.3.4.54922 > 10.0.0.250.993: Flags [FP.], seq 0:37, ack 1, win > 1026, options [nop,nop,TS val 5284603 ecr 52159031], length 37 > 21:03:17.231604 rule 0..16777216/0(match): block out on vlan333: > 1.2.3.4.54922 > 10.0.0.250.993: Flags [FP.], seq 0:37, ack 1, win > 1026, options [nop,nop,TS val 5284943 ecr 52159031], length 37 > 21:03:17.685793 rule 0..16777216/0(match): block out on vlan333: > 1.2.3.4.54922 > 10.0.0.250.993: Flags [FP.], seq 0:37, ack 1, win > 1026, options [nop,nop,TS val 5285397 ecr 52159031], length 37 > 21:03:18.408137 rule 0..16777216/0(match): block out on vlan333: > 1.2.3.4.54922 > 10.0.0.250.993: Flags [FP.], seq 0:37, ack 1, win > 1026, options [nop,nop,TS val 5286119 ecr 52159031], length 37 > 21:03:19.583723 rule 0..16777216/0(match): block out on vlan333: > 1.2.3.4.54922 > 10.0.0.250.993: Flags [FP.], seq 0:37, ack 1, win > 1026, options [nop,nop,TS val 5287295 ecr 52159031], length 37 > 21:03:21.713816 rule 0..16777216/0(match): block out on vlan333: > 1.2.3.4.54922 > 10.0.0.250.993: Flags [FP.], seq 0:37, ack 1, win > 1026, options [nop,nop,TS val 5289425 ecr 52159031], length 37 > 21:03:25.766916 rule 0..16777216/0(match): block out on vlan333: > 1.2.3.4.54922 > 10.0.0.250.993: Flags [FP.], seq 0:37, ack 1, win > 1026, options [nop,nop,TS val 5293478 ecr 52159031], length 37 > 21:03:33.679722 rule 0..16777216/0(match): block out on vlan333: > 1.2.3.4.54922 > 10.0.0.250.993: Flags [FP.], seq 0:37, ack 1, win > 1026, options [nop,nop,TS val 5301391 ecr 52159031], length 37 > 21:03:49.240190 rule 0..16777216/0(match): block out on vlan333: > 1.2.3.4.54922 > 10.0.0.250.993: Flags [FP.], seq 0:37, ack 1, win > 1026, options [nop,nop,TS val 5316951 ecr 52159031], length 37 > 21:04:04.821702 rule 0..16777216/0(match): block out on vlan333: > 1.2.3.4.54922 > 10.0.0.250.993: Flags [FP.], seq 0:37, ack 1, win > 1026, options [nop,nop,TS val 5332533 ecr 52159031], length 37 > 21:04:20.382912 rule 0..16777216/0(match): block out on vlan333: > 1.2.3.4.54922 > 10.0.0.250.993: Flags [FP.], seq 0:37, ack 1, win > 1026, options [nop,nop,TS val 5348094 ecr 52159031], length 37 > 21:04:35.947297 rule 0..16777216/0(match): block out on vlan333: > 1.2.3.4.54922 > 10.0.0.250.993: Flags [R.], seq 38, ack 1, win 1026, > options [nop,nop,TS val 5363658 ecr 52159031], length 0 > 21:38:41.708989 rule 32..16777216/0(match): pass out on igb0: > 5.6.7.8.54206 > 1.2.3.4.61384: UDP, length 101 > 21:40:11.470576 rule 35..16777216/0(match): pass out on vlan333: > 1.2.3.4.58407 > 10.0.0.250.993: Flags [S], seq 3179386733, win 65535, > options [mss 1440,nop,wscale 6,sackOK,TS val 3544878749 ecr 0], length 0 > 21:41:10.356274 rule 0..16777216/0(match): block out on igb0: > 5.6.7.8.63184 > 1.2.3.4.58407: Flags [R.], seq 542623300, ack > 3179387863, win 0, length 0 > 21:42:42.139787 rule 35..16777216/0(match): pass out on vlan333: > 1.2.3.4.58246 > 10.0.0.250.993: Flags [S], seq 2033854095, win 65535, > options [mss 1440,nop,wscale 6,sackOK,TS val 2222918259 ecr 0], length 0 > 21:42:58.173371 rule 0..16777216/0(match): block out on igb0: > 5.6.7.8.55938 > 1.2.3.4.58246: Flags [P.], seq 1671786524:1671786577, > ack 2033855225, win 252, options [nop,nop,TS val 52409345 ecr > 7663492], length 53 > 21:43:01.035543 rule 0..16777216/0(match): block out on igb0: > 5.6.7.8.62485 > 1.2.3.4.51684: Flags [R.], seq 1560010735, ack > 3306749941, win 0, length 0 > 21:43:43.457948 rule 32..16777216/0(match): pass out on vlan333: > 1.2.3.4.61028 > 192.168.0.252.1194: UDP, length 14 > 21:43:51.279156 rule 32..16777216/0(match): pass out on igb0: > 5.6.7.8.64507 > 1.2.3.4.61028: UDP, length 101 > 21:44:42.074698 rule 35..16777216/0(match): pass out on vlan333: > 1.2.3.4.57041 > 10.0.0.250.993: Flags [S], seq 3652350806, win 65535, > options [mss 1440,nop,wscale 6,sackOK,TS val 2369373378 ecr 0], length 0 > 21:45:11.441957 rule 0..16777216/0(match): block in on vlan333: > 10.0.0.250.993 > 1.2.3.4.54156: Flags [.], seq 2259431444:2259431445, > ack 3275340784, win 255, length 1 > > I really don't understand why are these packages blocked. I'm > experiencing intermittent and random connection loss, what's really > odd, happens mostly during the evening or night, plus I don't see the > pass in pflog for the established state, after this round of blocked > packets I am still able to connect to the IMAPs server: > > % sudo pfctl -vvs state | grep -A 3 -E "1.2.3.4.*993" > No ALTQ support in kernel > ALTQ related functions disabled > all tcp 1.2.3.4:59297 -> 10.0.0.250:993 ESTABLISHED:ESTABLISHED > [4090185320 + 65054] wscale 6 [521715590 + 65664] wscale 8 > age 00:43:22, expires in 23:58:49, 1341:1208 pkts, 155891:390868 > bytes, rule 35 > id: 0300000053fe8341 creatorid: d8aa2c51 > -- > all tcp 1.2.3.4:54106 -> 10.0.0.250:993 ESTABLISHED:ESTABLISHED > [2304345867 + 65536] wscale 6 [3058330740 + 65664] wscale 8 > age 01:39:27, expires in 23:58:45, 197:161 pkts, 22303:35201 bytes, > rule 35 > id: 0000000053fe91c7 creatorid: d8aa2c51 > -- > all tcp 1.2.3.4:51684 -> 10.0.0.250:993 ESTABLISHED:ESTABLISHED > [3306749755 + 64806] wscale 6 [1560010681 + 65664] wscale 8 > age 00:43:24, expires in 23:37:21, 163:285 pkts, 14623:190269 > bytes, rule 35 > id: 0000000053fe9440 creatorid: d8aa2c51 > -- > all tcp 1.2.3.4:54156 -> 10.0.0.250:993 ESTABLISHED:ESTABLISHED > [3275340128 + 64626] wscale 6 [2259430819 + 65664] wscale 8 > age 00:32:36, expires in 24:00:00, 374:490 pkts, 32475:273389 > bytes, rule 35 > id: 0000000053fe944f creatorid: d8aa2c51 > > % sudo pfctl -vvs state | grep -A 3 -E "993.*1.2.3.4" > No ALTQ support in kernel > ALTQ related functions disabled > all tcp 10.0.0.250:993 (5.6.7.8:993) <- 1.2.3.4:59297 > ESTABLISHED:ESTABLISHED > [521721120 + 65664] wscale 8 [4090191500 + 64828] wscale 6 > age 00:44:12, expires in 23:59:55, 1429:1274 pkts, 166647:399830 bytes > id: 0300000053fe8340 creatorid: d8aa2c51 > -- > all tcp 10.0.0.250:993 (5.6.7.8:993) <- 1.2.3.4:54106 > ESTABLISHED:ESTABLISHED > [3058330915 + 1026] [2304346089 + 255] > age 00:51:21, expires in 23:59:51, 71:53 pkts, 7588:5901 bytes > id: 0000000053fe9427 creatorid: d8aa2c51 > all tcp 10.0.0.250:993 (5.6.7.8:993) <- 1.2.3.4:51684 > ESTABLISHED:ESTABLISHED > [1560010681 + 65664] wscale 8 [3306749755 + 64806] wscale 6 > age 00:44:14, expires in 23:36:31, 163:285 pkts, 14623:190269 bytes > id: 0000000053fe943f creatorid: d8aa2c51 > -- > all tcp 10.0.0.250:993 (5.6.7.8:993) <- 1.2.3.4:54156 > ESTABLISHED:ESTABLISHED > [2259430819 + 65664] wscale 8 [3275340128 + 64626] wscale 6 > age 00:33:26, expires in 23:59:10, 374:490 pkts, 32475:273389 bytes > id: 0000000053fe944e creatorid: d8aa2c51 > > Anyone has any idea what might be amiss here? What can I look into? I > hope someone with more pf and TCP knowledge than me can shed some light. > > Thank you, > -- > Andrei -- Andrei
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5414A2DE.9020307>