I'm have a problem with the firewall rules with pfSense 1.2.3-RELEASE. The firewall is blocking the traffic from 10.0.150.250.1321 unless state is not kept. Of course without the state the traffic is then blocked on the egress port. Below is the log and firewall rules for both cases. The results are the same if the source address is changed to any. Any suggestions on how to resolve this would be greatly appreciated.
With keep state: Dec 3 10:00:14 192.76.18.8 pf: 039505 rule 251/0(match): block in on vlan2: (tos 0x0, ttl 127, id 19405, offset 0, flags [DF], proto TCP (6), length 52) 10.0.150.250.1321 > 192.76.4.8.53145: S, cksum 0x0da9 (correct), 4056631626:4056631626(0) ack 323007018 win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK> @191 pass in log quick on vlan2 inet proto tcp from 10.0.150.250 port = 1321 to any flags S/SA keep state label "USER_RULE" [ Evaluations: 24 Packets: 0 Bytes: 0 States: 0 ] @251 block drop in log quick all label "Default deny rule" Without keep state: Dec 3 10:06:01 192.76.18.8 pf: 079950 rule 191/0(match): pass in on vlan2: (tos 0x0, ttl 127, id 37671, offset 0, flags [DF], proto TCP (6), length 52) 10.0.150.250.1321 > 192.76.4.8.53145: S, cksum 0xc360 (correct), 4144994380:4144994380(0) ack 411542245 win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK> Dec 3 10:06:01 192.76.18.8 pf: 000055 rule 252/0(match): block out on bge0: (tos 0x0, ttl 126, id 19770, offset 0, flags [DF], proto TCP (6), length 52) 10.0.150.250.1321 > 192.76.4.8.53145: S, cksum 0xc360 (correct), 4144994380:4144994380(0) ack 411542245 win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK> @191 pass in log quick on vlan2 inet proto tcp from 10.0.150.250 port = 1321 to any no state label "USER_RULE" [ Evaluations: 49 Packets: 4 Bytes: 192 States: 0 ] @252 block drop out log quick all label "Default deny rule" Thanks Thad --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] Commercial support available - https://portal.pfsense.org
