----Original Message----- > From: Evgeny Yurchenko [mailto:[email protected]] > Sent: Friday, December 03, 2010 12:57 PM > To: [email protected] > Subject: Re: [pfSense Support] Firewall rule problem > > On 10-12-03 12:51 PM, Wakefield, Thad M. wrote: > > I'm have a problem with the firewall rules with pfSense 1.2.3- > RELEASE. > > > > The firewall is blocking the traffic from 10.0.150.250.1321 unless > state is not kept. Of course without the state the traffic is then > blocked on the egress port. Below is the log and firewall rules for > both cases. The results are the same if the source address is changed > to any. Any suggestions on how to resolve this would be greatly > appreciated. > > > > > > With keep state: > > Dec 3 10:00:14 192.76.18.8 pf: 039505 rule 251/0(match): block in on > vlan2: (tos 0x0, ttl 127, id 19405, offset 0, flags [DF], proto TCP > (6), length 52) 10.0.150.250.1321> 192.76.4.8.53145: S, cksum 0x0da9 > (correct), 4056631626:4056631626(0) ack 323007018 win 8192<mss > 1460,nop,wscale 8,nop,nop,sackOK> > > > > @191 pass in log quick on vlan2 inet proto tcp from 10.0.150.250 port > = 1321 to any flags S/SA keep state label "USER_RULE" > > [ Evaluations: 24 Packets: 0 Bytes: 0 > States: 0 ] > > @251 block drop in log quick all label "Default deny rule" > > > > > > > > Without keep state: > > Dec 3 10:06:01 192.76.18.8 pf: 079950 rule 191/0(match): pass in on > vlan2: (tos 0x0, ttl 127, id 37671, offset 0, flags [DF], proto TCP > (6), length 52) 10.0.150.250.1321> 192.76.4.8.53145: S, cksum 0xc360 > (correct), 4144994380:4144994380(0) ack 411542245 win 8192<mss > 1460,nop,wscale 8,nop,nop,sackOK> > > Dec 3 10:06:01 192.76.18.8 pf: 000055 rule 252/0(match): block out > on bge0: (tos 0x0, ttl 126, id 19770, offset 0, flags [DF], proto TCP > (6), length 52) 10.0.150.250.1321> 192.76.4.8.53145: S, cksum 0xc360 > (correct), 4144994380:4144994380(0) ack 411542245 win 8192<mss > 1460,nop,wscale 8,nop,nop,sackOK> > > > > @191 pass in log quick on vlan2 inet proto tcp from 10.0.150.250 port > = 1321 to any no state label "USER_RULE" > > [ Evaluations: 49 Packets: 4 Bytes: 192 > States: 0 ] > > @252 block drop out log quick all label "Default deny rule" > > > > > > > > Thanks > > > > Thad > > > When you try to establish this connection probably the state already > exists. Can you check it with > pfctl -ss | grep 1321 > If it does exist > > 10.0.150.250.1321> 192.76.4.8.53145 > > then I think new one will be rejected. > > Evgeny. >
Unfortunately that doesn't appear to be the problem. Thanks anyway. Thad --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] Commercial support available - https://portal.pfsense.org
