On Fri, Mar 26, 2010 at 4:56 AM, Bastian Schern <[email protected]> wrote: > Hi, > > since many years I run multiple pfSense Firewalls very successfully. > > Since 1.2.3-RELEASE was released I started to upgrade all my pfSenses to > this release. It works very well an nearly all machines. But on one system I > have problems: > > After the upgrade from 1.2-RELEASE to 1.2.3-RELEASE all TCP-Packets on the > WAN-Interface are dropped by the default rule: > block drop out log quick all label "Default deny rule" > > This is very strange because I have allowed TCP SSH and HTTP/S access on > this Interface. > > The same problem I have also if I upgrade to other 1.2.x releases. > If I downgrade back to 1.2-RELEASE everything works fine again. > > Has somebody an idea how to find out what the problem is? >
Probably asymmetric routing. The flags default in newer PF versions in FreeBSD 7.x (pfSense 1.2.1, 1.2.2, 1.2.3) is much more strict than it was in FreeBSD 6.2 (pfSense 1.2). So if the firewall isn't seeing the entire connection (such as only traffic in one direction), it's going to kill that state as it can't properly track the connection state, it looks like spoofed traffic. The fix is to first figure out where the problem is, what's causing the asymmetric routing. Then the solution will depend on the cause. There are many possible causes depending on what's in your network. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] Commercial support available - https://portal.pfsense.org
