Barb, Duane wrote:
I'm getting dropped packets:
[ID 702911 local0.warning] 08:45:14.146313 bge0 @0:2 b x.x.x.x,30404 ->
x.x.x.x,443 PR tcp len 20 40 -AR IN
duane,
this is a blocked packet, not a dropped packet.
it is arriving at your external interface and being blocked.
note, the line above indicates that the ACK+RST flags are set.
my best guess is that this tuple was once in the state table,
but the connection is already torn down, (i.e., ipf's state
table has deleted the entry), and this packet is thus bouncing
off of the firewall and being logged as a blocked packet.
in other words, it is a packet not associated with a current
state entry, and also not one that initiates a state entry
by the following rule (since the flags don't match up):
> pass in quick on bge0 proto tcp from any to x.y.z.122/32 port = 443
> flags S keep state keep frags
and therefore it is blocked.
seeing the above log entry, assuming you are not having other
issues, is no cause for alarm. more than likely it is due to
the interaction of the web server/client connection keepalive
mechanisms and ipf's state table expiry times.
jim
