Re: [pfSense Support] Firewall rule problem

Fri, 03 Dec 2010 10:57:15 -0800 

On 10-12-03 12:51 PM, Wakefield, Thad M. wrote:

I'm have a problem with the firewall rules with pfSense 1.2.3-RELEASE.

The firewall is blocking the traffic from 10.0.150.250.1321 unless state is not 
kept. Of course without the state the traffic is then blocked on the egress 
port. Below is the log and firewall rules for both cases. The results are the 
same if the source address is changed to any. Any suggestions on how to resolve 
this would be greatly appreciated.


With keep state:
Dec  3 10:00:14 192.76.18.8 pf: 039505 rule 251/0(match): block in on vlan2: (tos 0x0, 
ttl 127, id 19405, offset 0, flags [DF], proto TCP (6), length 52) 10.0.150.250.1321> 
 192.76.4.8.53145: S, cksum 0x0da9 (correct), 4056631626:4056631626(0) ack 323007018 win 
8192<mss 1460,nop,wscale 8,nop,nop,sackOK>

@191 pass in log quick on vlan2 inet proto tcp from 10.0.150.250 port = 1321 to any flags 
S/SA keep state label "USER_RULE"
   [ Evaluations: 24        Packets: 0         Bytes: 0           States: 0     
]
@251 block drop in log quick all label "Default deny rule"



Without keep state:
Dec  3 10:06:01 192.76.18.8 pf: 079950 rule 191/0(match): pass in on vlan2: (tos 0x0, 
ttl 127, id 37671, offset 0, flags [DF], proto TCP (6), length 52) 10.0.150.250.1321> 
 192.76.4.8.53145: S, cksum 0xc360 (correct), 4144994380:4144994380(0) ack 411542245 win 
8192<mss 1460,nop,wscale 8,nop,nop,sackOK>
Dec  3 10:06:01 192.76.18.8 pf: 000055 rule 252/0(match): block out on bge0: (tos 0x0, 
ttl 126, id 19770, offset 0, flags [DF], proto TCP (6), length 52) 10.0.150.250.1321> 
 192.76.4.8.53145: S, cksum 0xc360 (correct), 4144994380:4144994380(0) ack 411542245 win 
8192<mss 1460,nop,wscale 8,nop,nop,sackOK>

@191 pass in log quick on vlan2 inet proto tcp from 10.0.150.250 port = 1321 to any no 
state label "USER_RULE"
   [ Evaluations: 49        Packets: 4         Bytes: 192         States: 0     
]
@252 block drop out log quick all label "Default deny rule"



Thanks

Thad
When you try to establish this connection probably the state already exists. Can you check it with 
pfctl -ss | grep 1321
If it does exist

10.0.150.250.1321>  192.76.4.8.53145

then I think new one will be rejected.

Evgeny.

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Commercial support available - https://portal.pfsense.org

Reply via email to