Hello.. I just added a rule to allow port 80 traffic into my server and started noticing some odd blocks occuring.
It seems that some web connections are losing their state and sending an R or F flag which gets blocked. I am not sure of the time but I think once I was refreshing the page and it seemed to hang for a good 20 seconds before I could get my page. Here are some lines from the pflog where the issue shows up.. May 06 18:07:06.149898 rule 8/(match) pass in on fxp0: 67.8.88.172.62876 > 10.1.1.100.80: S 2727135807:2727135807(0) win 65535 <mss 1460,nop,nop,sackOK> (DF) May 06 18:16:26.957972 rule 0/(match) block in on fxp0: 67.8.88.172.62960 > 10.1.1.100.80: F 2727136588:2727136588(0) ack 623850661 win 65535 (DF) May 06 18:16:26.958424 rule 8/(match) pass in on fxp0: 67.8.88.172.62961 > 10.1.1.100.80: S 1091526713:1091526713(0) win 65535 <mss 1460,nop,nop,sackOK> (DF) May 06 18:16:28.804891 rule 0/(match) block in on fxp0: 67.8.88.172.62960 > 10.1.1.100.80: F 0:0(0) ack 1 win 65535 (DF) May 06 18:16:32.633583 rule 0/(match) block in on fxp0: 67.8.88.172.62960 > 10.1.1.100.80: F 0:0(0) ack 1 win 65535 (DF) May 06 18:16:40.289950 rule 0/(match) block in on fxp0: 67.8.88.172.62960 > 10.1.1.100.80: F 0:0(0) ack 1 win 65535 (DF) May 06 18:16:55.493370 rule 0/(match) block in on fxp0: 67.8.88.172.62960 > 10.1.1.100.80: F 0:0(0) ack 1 win 65535 (DF) also.. here is another section.. May 06 18:24:41.324639 rule 8/(match) pass in on fxp0: 67.8.88.172.62984 > 10.1.1.100.80: S 2030330019:2030330019(0) win 65535 <mss 1460,nop,nop,sackOK> (DF) May 06 19:35:07.332356 rule 8/(match) pass in on fxp0: 67.8.241.41.3674 > 10.1.1.100.80: S 2875074564:2875074564(0) win 64240 <mss 1460,nop,nop,sackOK> (DF) May 06 19:35:07.374344 rule 8/(match) pass in on fxp0: 67.8.241.41.3676 > 10.1.1.100.80: S 2875172601:2875172601(0) win 64240 <mss 1460,nop,nop,sackOK> (DF) May 06 19:35:07.424298 rule 8/(match) pass in on fxp0: 67.8.241.41.3677 > 10.1.1.100.80: S 2875257357:2875257357(0) win 64240 <mss 1460,nop,nop,sackOK> (DF) May 06 19:35:38.350378 rule 8/(match) pass in on fxp0: 67.8.241.41.3735 > 10.1.1.100.80: S 2885203952:2885203952(0) win 64240 <mss 1460,nop,nop,sackOK> (DF) May 06 21:21:45.029460 rule 8/(match) pass in on fxp0: 67.8.88.172.63891 > 10.1.1.100.80: S 2683364380:2683364380(0) win 65535 <mss 1460,nop,nop,sackOK> (DF) May 06 21:22:26.591912 rule 6/(match) pass in on fxp0: 10.1.1.200.15282 > 10.1.1.100.42849: S 4082795711:4082795711(0) win 65535 <mss 1460,nop,nop,sackOK> (DF) May 06 21:23:21.436194 rule 8/(match) pass in on fxp0: 67.8.88.172.63893 > 10.1.1.100.80: S 1713087682:1713087682(0) win 65535 <mss 1460,nop,nop,sackOK> (DF) May 06 21:23:49.446089 rule 8/(match) pass in on fxp0: 67.8.88.172.63894 > 10.1.1.100.80: S 1117169177:1117169177(0) win 65535 <mss 1460,nop,nop,sackOK> (DF) May 06 21:24:00.538759 rule 0/(match) block in on fxp0: 67.8.241.41.3735 > 10.1.1.100.80: R 2885205581:2885205581(0) win 0 (DF) Here are my pf rules scrub in all fragment reassemble block drop in log on fxp0 all block out log on fxp0 all pass out on fxp0 inet proto tcp from 10.1.1.100 to 10.1.1.1 port = domain flags S/SA keep state (if-bound) pass out on fxp0 inet proto udp from 10.1.1.100 to 10.1.1.1 port = domain keep state (if-bound) pass out on fxp0 inet proto udp from 10.1.1.100 to any port = ntp keep state (if-bound) pass out on fxp0 inet proto tcp from 10.1.1.100 to any port = smtp flags S/SA keep state (if-bound) pass in log on fxp0 inet proto tcp from 10.1.1.200 to 10.1.1.100 port = 42849 flags S/SA synproxy state (if-bound) pass in log on fxp0 inet proto tcp from <USAddrs> to 10.1.1.100 port = 42849 flags S/SA synproxy state (if-bound) pass in log on fxp0 inet proto tcp from any to 10.1.1.100 port = www flags S/SA synproxy state (if-bound) I feel like it is something I am doing wrong... or maybe some web clients will do odd things after a period of time. Anyone seen this before? Thanks
