On Wed, Dec 22, 2010 at 5:41 PM, Jan Stary <[email protected]> wrote: > Speculation: this looks to me like an end of a valid http session: > an internal clients reads a web page, and probably a few images, > everything goes through, but the last FIN does not. The first SYN > creates state that lets the subsequent packets through. Doesn't the > last FIN belong to the same state? Also, this is an outgoing packet, > which I explicitly allow. > > What can possibly be blocking these FIN packets? > > Jan,
I have run into a similiar situation where I had packets getting blocked through my OpenBSD fw and could not figure out why. The couple pieces of code I tend to use to debug such a thing: 1. The 'log' and 'log (all)' statements in pf.conf. Take your pick of the two and throw them on all your block statements. 2. Following that, I run 'tcpdump -n -ttt -e -i pflog0'. This shows me not only the packets being logged, but also the pf rules blocking them. Example: Dec 22 19:24:13.564109 rule 8/(match) block in on vr0: 115.178.83.69.6000 > 96.21.64.23.2967: S 449708032:449708032(0) win 16384 [tos 0x20] I see this is rule 8. I then run 'pfctl -s rules -vv' which among other things, outputs @8 block return in log all label "block_all" [ Evaluations: 1196726 Packets: 5786 Bytes: 352780 States: 0 ] [ Inserted: uid 0 pid 2220 State Creations: 0 ] "@8" corresponding to a particular PF rule. I find that by combining these two debugging tools, I am able to pin point the rule that might be blocking a specific set of connections. Hope that helps. Cheers, Jeffrey
