From owner-freebsd-pf@freebsd.org  Sat Nov 18 01:31:58 2017
Return-Path: <owner-freebsd-pf@freebsd.org>
Delivered-To: freebsd-pf@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id C65AFDE82FB
 for <freebsd-pf@mailman.ysv.freebsd.org>; Sat, 18 Nov 2017 01:31:58 +0000 (UTC)
 (envelope-from dave@horsfall.org)
Received: from viclamta10p.bpe.bigpond.com (viclamta10p.bpe.bigpond.com
 [203.38.21.74])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "", Issuer "Openwave Messaging Inc." (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id A29767D417
 for <freebsd-pf@freebsd.org>; Sat, 18 Nov 2017 01:31:55 +0000 (UTC)
 (envelope-from dave@horsfall.org)
Received: from smtp.telstra.com ([10.10.26.4])
 by viclafep08p-svc.bpe.nexus.telstra.com.au with ESMTP id
 <20171118012029.JWJZ6325.viclafep08p-svc.bpe.nexus.telstra.com.au@smtp.telstra.com>
 for <freebsd-pf@freebsd.org>; Sat, 18 Nov 2017 12:20:29 +1100
X-RG-Spam: Unknown
X-Junkmail-Premium-Raw: score=7/83, refid=2.7.2:2017.11.18.5115:17:7.944, ip=,
 rules=__HAS_FROM, 
 __TO_MALFORMED_2, __TO_NAME, __TO_NAME_DIFF_FROM_ACC, __HAS_MSGID,
 __SANE_MSGID, __USER_AGENT, __MIME_VERSION, __CT, __CT_TEXT_PLAIN, __ANY_URI, 
 __URI_NO_MAILTO, __URI_NO_WWW, __C230066_P5, __FRAUD_MONEY_CURRENCY_DOLLAR,
 __NO_HTML_TAG_RAW, BODY_SIZE_1700_1799, BODYTEXTP_SIZE_3000_LESS,
 __MIME_TEXT_P1, __MIME_TEXT_ONLY, HTML_00_01, HTML_00_10,
 __FRAUD_MONEY_CURRENCY, BODY_SIZE_5000_LESS, __TO_REAL_NAMES,
 BODY_SIZE_2000_LESS, __MIME_TEXT_P, NO_URI_HTTPS, BODY_SIZE_7000_LESS
X-RG-VS-Verdict: clean
X-RazorGate-Vade: gggruggvucftvghtrhhoucdtuddrfeelgedrkeelgdduudefucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuuffpveftpgfvgffnuffvtfetnecuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjughrpeffhffvuffkfgggtgesthdttddttdervdenucfhrhhomhepffgrvhgvucfjohhrshhfrghllhcuoegurghvvgeshhhorhhsfhgrlhhlrdhorhhgqeenucffohhmrghinhepmhgrihhlihhnfhhordhgrgdprghruhgsrgdrihhtnecukfhppeduuddtrddugedurdduleefrddvfeefnecurfgrrhgrmhephhgvlhhopegrnhgvuhhrihhnrdhhohhrshhfrghllhdrohhrghdpihhnvghtpeduuddtrddugedurdduleefrddv
Received: from aneurin.horsfall.org (110.141.193.233) by smtp.telstra.com
 (9.0.019.22-1)
 id 5A0DD2DB002D170F for freebsd-pf@freebsd.org; Sat, 18 Nov 2017 12:20:29 +1100
Received: from aneurin.horsfall.org (localhost [127.0.0.1])
 by aneurin.horsfall.org (8.15.2/8.15.2) with ESMTP id vAI1KSiq002605
 for <freebsd-pf@freebsd.org>; Sat, 18 Nov 2017 12:20:28 +1100 (EST)
 (envelope-from dave@horsfall.org)
Received: from localhost (dave@localhost)
 by aneurin.horsfall.org (8.15.2/8.15.2/Submit) with ESMTP id vAI1KRvi002602
 for <freebsd-pf@freebsd.org>; Sat, 18 Nov 2017 12:20:28 +1100 (EST)
 (envelope-from dave@horsfall.org)
X-Authentication-Warning: aneurin.horsfall.org: dave owned process doing -bs
Date: Sat, 18 Nov 2017 12:20:27 +1100 (EST)
From: Dave Horsfall <dave@horsfall.org>
To: FreeBSD PF List <freebsd-pf@freebsd.org>
Subject: Why is PF rejecting these connections?
Message-ID: <alpine.BSF.2.21.1711181201020.780@aneurin.horsfall.org>
User-Agent: Alpine 2.21 (BSF 202 2017-01-01)
X-GPG-Public-Key: http://www.horsfall.org/gpgkey.pub
X-GPG-Fingerprint: 05B4 FFBC 0218 B438 66E0  587B EF46 7357 EF5E F58B
X-Home-Page: http://www.horsfall.org/
X-Witty-Saying: "chmod 666 the_mode_of_the_beast"
MIME-Version: 1.0
Content-Type: text/plain; format=flowed; charset=US-ASCII
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf/>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Nov 2017 01:31:58 -0000

I have PF (FreeBSD 10.4) configured to drop suspicious packets e.g. those 
claiming to be ACKs for non-existent connections etc, but I'm seeing some 
weirdness in the logs.  Now, I sort of inherited the configuration and 
don't fully understand each directive, but if it works for someone I 
trust, well...

Anyway, here are some sample log entries:

     23:15:37.755870 IP host90-45-237-212.serverdedicati.aruba.it.34944 > aneurin.kfu.smtp: Flags [S], seq 4161201091, win 14600, options [mss 1460,sackOK,TS[|tcp]>
     23:15:40.755278 IP host90-45-237-212.serverdedicati.aruba.it.34944 > aneurin.kfu.smtp: Flags [S], seq 4161201091, win 14600, options [mss 1460,sackOK,TS[|tcp]>
     [...]
     23:52:02.768939 IP rdns1.mailinfo.ga.43128 > aneurin.kfu.smtp: Flags [S], seq 1022514539, win 14600, options [mss 1460,sackOK,TS[|tcp]>
     23:52:18.768869 IP rdns1.mailinfo.ga.43128 > aneurin.kfu.smtp: Flags [S], seq 1022514539, win 14600, options [mss 1460,sackOK,TS[|tcp]>

Etc; the common theme appears to be those options whose purpose I don't 
quite grok, but are presumably legal in this context.

The relevant lines from my pf.conf seem to be:

     set block-policy drop
     set loginterface egress
     #set ruleset-optimization basic
     scrub in
     block all
     pass out quick all keep state
     antispoof log quick for $ext_if inet
     [ Sundry pass/block rules ]

So, why is PF complaining about those packets?  The finer points of TCP 
options notwithstanding, they seem OK to me...  Remember: I inherited most 
of the configuration file, so I don't necessarily understand it.

Thanks.

-- 
Dave Horsfall DTM (VK2KFU)  "Those who don't understand security will suffer."