Date: Wed, 04 May 2005 21:31:16 +0800 From: sam <sam.wun@tech-21.com.hk> To: freebsd-pf@freebsd.org, freebsd-current@freebsd.org Subject: PF blocking Pass rules Message-ID: <4278CEA4.2030609@tech-21.com.hk>
next in thread | raw e-mail | index | archive | help
Hi, I don't know what happened, I just setup an internal LAN firewall using PF (v3.6). The PF firewall has defaultrouter setup to the external firewall (facing the internet). All my PCs have default gateway setup to the PF firewall. When I start downloading an iso file from some wetsite, the first 13% was fine, then PF firewall suddenly start blocking the traffic from my PC to the external website where I am downloading the file. After a while (about 6 minutes), my download resumed, and stop for 5 mintues, then resumed.... Here are the running rules loaded into the memory in the PF firewall: root@intgw2:/usr/local/etc# pfctl -sr block drop in log all pass quick on xl0 proto pfsync all pass in on fxp0 inet proto carp from 10.1.254.250 to any keep state pass in on fxp1 inet proto carp from 10.3.254.250 to any keep state pass in on fxp0 inet proto tcp from 10.1.0.0/16 to any flags S/SA keep state pass in on fxp0 proto tcp from any to any port 13:156 flags S/SA keep state pass in on fxp0 proto tcp from any to any port 1024:60000 flags S/SA keep state pass in on fxp0 proto udp from any to any port 1024:60000 keep state pass in on fxp0 inet proto udp from 10.1.0.0/16 to any keep state pass in on fxp0 inet proto tcp from any to 255.255.255.255 keep state pass in on fxp0 inet proto udp from any to 255.255.255.255 keep state pass in on fxp0 inet proto tcp from any to 10.1.255.255 keep state pass in on fxp0 inet proto udp from any to 10.1.255.255 keep state pass in on fxp1 proto udp from any to any port 13:156 keep state pass in on fxp1 proto udp from any to any port 1024:60000 keep state pass in on fxp1 inet proto tcp from any to 255.255.255.255 keep state pass in on fxp1 inet proto udp from any to 255.255.255.255 keep state pass in on fxp1 inet proto tcp from any to 10.3.255.255 keep state pass in on fxp1 inet proto udp from any to 10.3.255.255 keep state pass out quick on fxp0 all keep state pass out quick on fxp1 all keep state Some of the block evens are logged as followed: .... 000017 rule 0/0(match): block in on fxp0: IP 10.1.184.15.4156 > 195.141.40.21.80: F 0:0(0) ack 1 win 64800 300869 rule 0/0(match): block in on fxp0: IP 10.1.184.15.4154 > 195.141.40.21.80: F 0:0(0) ack 1 win 64800 100417 rule 0/0(match): block in on fxp0: IP 10.1.184.15.4153 > 195.141.40.21.80: F 0:0(0) ack 1 win 64800 200569 rule 0/0(match): block in on fxp0: IP 10.1.184.15.4152 > 195.141.14.21.80: F 0:0(0) ack 1 win 64800 .... How can I change the PF rule to fix this problem? Thanks Sam.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4278CEA4.2030609>