Changing Rule 622 to pass any protocol solves the problem?! @622 pass in log quick on bge0 inet from 172.16.13.0/24 to any keep state
I think I've found a great BUG in pf on FreeBSD. Zitat von Peter Allgeyer <[EMAIL PROTECTED]>: > Have to add sth. to it: > > Zitat von Peter Allgeyer <[EMAIL PROTECTED]>: > > following problem: > > > > pfSense: R1 Router/FW between Lan L1 and Internet > > LAN Router: R2 Router/FW between Lan L1 and LAN L2 > > > > pfSense is default gw for all hosts in local LAN L1. pfSense has a > > static routing to an internal Router R2 for a private LAN L2. SSH > to > > a > > host in the private LAN L2 from Linux in local LAN L1 is ok. SSH to > a > > host in the private LAN L2 from Windows is ok for only a few > seconds, > > after that, the connection hangs. Tcpdump on R1 further show > packets > > going to the Host in L2, but nothing comes back. R2 has a packet > > filter, so maybe there's a problem. Ok, so far so bad. > > This is the output of the logfile on pfSense: > Jul 10 14:44:05 pf02 pf: 283479 rule 622/0(match): pass in on bge0: > (tos > 0x0, ttl 64, id 2159, offset 0, flags [DF], proto: TCP (6), length: > 60) > 172.16.13.11.39326 > 192.168.40.20.22: S 946074295:946074295(0) win > 5840 > <mss 1460,sackOK,timestamp[|tcp]> > Jul 10 14:44:34 pf02 pf: 477533 rule 1224/0(match): block in on bge0: > (tos 0x10, ttl 64, id 43958, offset 0, flags [DF], proto: TCP (6), > length: 64) 172.16.13.11.53968 > 192.168.40.20.22: . ack 1 win 9860 > <nop,nop,timestamp 127604616[|tcp]> > Jul 10 14:44:37 pf02 pf: 936222 rule 1224/0(match): block in on bge0: > (tos 0x10, ttl 64, id 2277, offset 0, flags [DF], proto: TCP (6), > length: 52) 172.16.13.11.39326 > 192.168.40.20.22: . ack 2819347952 > win > 5268 <nop,nop,timestamp 127605343[|tcp]> > > and so on ... > > Rule 622: > @622 pass in log quick on bge0 inet proto tcp from 172.16.0.0/16 port > >= > 1024 to 192.168.0.0/16 port = ssh flags S/SA keep state > > It seems that pfSense allows the initial SYN, can't see the SYN/ACK > (because of asymetric routing) and then allows the ACK. After a > while, > it decides to block the traffic. BUT WHY? > > BR, > PIT > > --------------------------------------------------------------------------- > copyleft(c) by | _-_ "sic transit discus mundi" (From the > System > Peter Allgeyer | 0(o_o)0 Administrator's Guide, by Lars Wirzenius) > ---------------oOO--(_)--OOo----------------------------------------------- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------------- copyleft(c) by | _-_ "sic transit discus mundi" (From the System Peter Allgeyer | 0(o_o)0 Administrator's Guide, by Lars Wirzenius) ---------------oOO--(_)--OOo----------------------------------------------- --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
