Making, drinking tea and reading an opus magnum from Chris Cameron:
> I have this rule in my default deny ruleset:
> pass in on xl0 inet proto tcp from any to any port www flags S/SA keep
> state
>
> Which I understand should let in only connections with the proper flag
> (syn) set for opening a TCP connection, after which a state entry is
> made.
>
> However, in my pflog I'm seeing -a lot- of entries like the one below:
>
> Nov 04 07:25:10.174689 rule 1/0(match): block in on xl0:
> 198.151.212.13.1456 > 209.82.111.158.80: F 6051007:6051007(0) ack
> 3739225974 win 8549 (DF)
> Nov 04 07:25:12.574689 rule 1/0(match): block in on xl0:
> 198.151.212.13.1456 > 209.82.111.158.80: F 0:0(0) ack 1 win 8549 (DF)
> Nov 04 07:25:17.591847 rule 1/0(match): block in on xl0:
> 198.151.212.13.1456 > 209.82.111.158.80: F 0:0(0) ack 1 win 8549 (DF)
> Nov 04 07:25:27.580550 rule 1/0(match): block in on xl0:
> 198.151.212.13.1456 > 209.82.111.158.80: F 0:0(0) ack 1 win 8549 (DF)
> Nov 04 07:25:47.585534 rule 1/0(match): block in on xl0:
> 198.151.212.13.1456 > 209.82.111.158.80: F 0:0(0) ack 1 win 8549 (DF)
>
> Which seems to show that web traffic is getting blocked.
those are FIN packets as you might see.
most likely this happens when the final
fin gets lost on the way to the client and state
is already removed in the pf, but the remote
client still tries to close the connection.
> However, I haven't had anyone complain yet, and I wasn't able to get
> blocked no matter how many different ways I tried connecting.
>
> So, what's going on? Should I be worried? Anyone else seeing this?
this is typical.
cu7
--
paranoic mickey (my employers have changed but, the name has remained)
