While watching the tcpdump output of pflog0 today I noticed the following, traffic bound for my web server is getting block when I think it shouldn't be.
First the log output... 12:06:12.410460 rule 583/0(match): block in on xl0: webclient.atsomedomain.com.1248 > webserver.mydomain.com.www: P 1131724836:1131725285(449) ack 2929330144 win 16754 (DF) 12:06:12.411053 rule 583/0(match): block in on xl0: webclient.atsomedomain.com.1248 > webserver.mydomain.com.www: F 449:449(0) ack 1 win 16754 (DF) 12:06:13.540560 rule 583/0(match): block in on xl0: webclient.atsomedomain.com.1252 > webserver.mydomain.com.www: P 1140690921:1140691350(429) ack 2958860508 win 16623 (DF) 12:06:13.541124 rule 583/0(match): block in on xl0: webclient.atsomedomain.com.1252 > webserver.mydomain.com.www: F 429:429(0) ack 1 win 16623 (DF) 12:06:14.300488 rule 583/0(match): block in on xl0: webclient.atsomedomain.com.1248 > webserver.mydomain.com.www: FP 0:449(449) ack 1 win 16754 (DF) 12:06:15.903226 rule 583/0(match): block in on xl0: webclient.atsomedomain.com.1252 > webserver.mydomain.com.www: FP 0:429(429) ack 1 win 16623 (DF) 12:06:18.105311 rule 583/0(match): block in on xl0: webclient.atsomedomain.com.1248 > webserver.mydomain.com.www: FP 0:449(449) ack 1 win 16754 (DF) 12:06:20.707666 rule 583/0(match): block in on xl0: webclient.atsomedomain.com.1252 > webserver.mydomain.com.www: FP 0:429(429) ack 1 win 16623 (DF) 12:06:25.715123 rule 583/0(match): block in on xl0: webclient.atsomedomain.com.1248 > webserver.mydomain.com.www: FP 0:449(449) ack 1 win 16754 (DF) 12:06:30.320130 rule 583/0(match): block in on xl0: webclient.atsomedomain.com.1252 > webserver.mydomain.com.www: FP 0:429(429) ack 1 win 16623 (DF) 12:06:40.935073 rule 583/0(match): block in on xl0: webclient.atsomedomain.com.1248 > webserver.mydomain.com.www: FP 0:449(449) ack 1 win 16754 (DF) 12:06:49.545346 rule 583/0(match): block in on xl0: webclient.atsomedomain.com.1252 > webserver.mydomain.com.www: FP 0:429(429) ack 1 win 16623 (DF) 12:07:11.373314 rule 583/0(match): block in on xl0: webclient.atsomedomain.com.1248 > webserver.mydomain.com.www: FP 0:449(449) ack 1 win 16754 (DF) 12:07:27.995603 rule 583/0(match): block in on xl0: webclient.atsomedomain.com.1252 > webserver.mydomain.com.www: FP 0:429(429) ack 1 win 16623 (DF) Here's the rule it's being called blocking this traffic on... # pfctl -s r |grep 583 @583 block in log quick on xl0 all But, here is an earlier rule that is supposed to let it pass through. @511 pass out quick on xl0 inet proto tcp from webserver.mydomain.com port = https to any port > 1023 flags S/SA keep state @512 pass out quick on xl0 inet proto tcp from webserver.mydomain.com port = www to any port > 1023 flags S/SA keep state @513 pass in quick on xl0 inet proto tcp from any port > 1023 to webserver.mydomain.com port = https flags S/SA keep state @514 pass in quick on xl0 inet proto tcp from any port > 1023 to webserver.mydomain.com port = www flags S/SA keep state ---------------------------------------------------------------------- Duncan Matthew Stirling <[EMAIL PROTECTED]> Cross Media Commerce Network Administrator Digital Asset Management http://www.mBase.com Web Content Management P:780-945-4607 Single Source Print and eCommerce Catalogs ----------------------------------------------------------------------
