Re: [pfSense Support] 1.2.2 TCP Disconnects (sessions)

Fri, 30 Jan 2009 10:01:01 -0800 


I think this may be related, or another 1.2.2 upgrade woe to add to your list:

I have 2 firewalls that were running 1.2, carped together with fw1 (master) 
syncing to fw2.

Before upgrading fw1 to 1.2.2, I backed up the config files on both firewalls.  
I have verified that the rules section are identical on both firewalls.

I upgraded fw1 to 1.2.2 and left fw2 at 1.2 just in case I ran into problems.  
I did (run into problems):

I have an old mailserver outside the firewall relaying mail to new mailserver 
behind firewall.  After the 1.2.2 upgrade, fw1 continues to relay okay, until 
someone sends a large-ish attachment that needs to be relayed between the two 
mailservers (xxx.xxx.51.1 is mailserver outside the firewall and yyy.yyy.209.2 
is mailserver inside firewall).

fw1 (1.2.2) reports:

Jan 30 08:11:10 fw1/fw1 pf: 15. 670556 rule 1581/0(match): block in on em1: 
(tos 0x0, ttl 63, id 23650, offset 0, flags [none],proto TCP (6), length 1500) 
xxx.xxx.51.1.63475 > yyy.yyy.209.2.25: . 0:1460(1460) ack 1 win 49498

relevant fw1 rules:
@264 pass in quick on em1 reply-to (em1 yyy.yyy.203.142) inet from xxx.xxx.51.1 
to yyy.yyy.209.2 flags S/SA keep state label "USER_RULE: MTA"
@265 pass in quick on carp11 reply-to (em1 yyy.yyy.203.142) inet from 
xxx.xxx.51.1 to yyy.yyy.209.2 flags S/SA keep state label "USER_RULE: MTA"
...
@1581 block drop in log quick all label "Default deny rule"

As soon as I shutdown fw1 and leave fw2 as master, I send the same email 
message again this time successfully. 

fw2 reports (I enabled rule logging on fw2):

Jan 30 09:17:13 fw2/fw2 pf: 288961 rule 255/0(match): pass in on em1: (tos 0x0, 
ttl  63, id 41857, offset 0, flags [none], proto: TCP (6), length: 48) 
xxx.xxx.51.1.33879 > yyy.yyy.209.2.25: S, cksum 0xc441 (correct), 
951133206:951133206(0) win 49640 <mss 1460,nop,nop,sackOK>
Jan 30 09:17:43 fw2/fw2 pf: 1. 324892 rule 255/0(match): pass in on em1: (tos 
0x0, ttl  63, id 35233, offset 0, flags [none], proto: TCP (6), length: 48) 
xxx.xxx.51.1.33890 > yyy.yyy.209.2.25: S, cksum 0x93fb (correct), 
959337428:959337428(0) win 49640 <mss 1460,nop,nop,sackOK>

fw2 rules:
@255 pass in quick on em1 inet from xxx.xxx.51.1 to yyy.yyy.209.2 keep state 
label "USER_RULE: MTA"
@256 pass in quick on carp11 inet from xxx.xxx.51.1 to yyy.yyy.209.2 keep state 
label "USER_RULE: MTA"

I don't want to downgrade given that there are security fixes between 1.2 and 
1.2.2.  

Your help always appreciated!

-Julie

Reply via email to