--- On Fri, 12/3/10, Wakefield, Thad M. <[email protected]> wrote:
> From: Wakefield, Thad M. <[email protected]> > Subject: RE: [pfSense Support] Firewall rule problem > To: "[email protected]" <[email protected]> > Date: Friday, December 3, 2010, 2:35 PM > ----Original Message----- > > From: Evgeny Yurchenko [mailto:[email protected]] > > Sent: Friday, December 03, 2010 12:57 PM > > To: [email protected] > > Subject: Re: [pfSense Support] Firewall rule problem > > > > On 10-12-03 12:51 PM, Wakefield, Thad M. wrote: > > > I'm have a problem with the firewall rules with > pfSense 1.2.3- > > RELEASE. > > > > > > The firewall is blocking the traffic from > 10.0.150.250.1321 unless > > state is not kept. Of course without the state the > traffic is then > > blocked on the egress port. Below is the log and > firewall rules for > > both cases. The results are the same if the source > address is changed > > to any. Any suggestions on how to resolve this would > be greatly > > appreciated. > > > > > > > > > With keep state: > > > Dec 3 10:00:14 192.76.18.8 pf: 039505 rule > 251/0(match): block in on > > vlan2: (tos 0x0, ttl 127, id 19405, offset 0, flags > [DF], proto TCP > > (6), length 52) 10.0.150.250.1321> > 192.76.4.8.53145: S, cksum 0x0da9 > > (correct), 4056631626:4056631626(0) ack 323007018 win > 8192<mss > > 1460,nop,wscale 8,nop,nop,sackOK> > > > > > > @191 pass in log quick on vlan2 inet proto tcp > from 10.0.150.250 port > > = 1321 to any flags S/SA keep state label "USER_RULE" > > > [ Evaluations: 24 > Packets: 0 > Bytes: 0 > > States: 0 ] > > > @251 block drop in log quick all label "Default > deny rule" > > > > > > > > > > > > Without keep state: > > > Dec 3 10:06:01 192.76.18.8 pf: 079950 rule > 191/0(match): pass in on > > vlan2: (tos 0x0, ttl 127, id 37671, offset 0, flags > [DF], proto TCP > > (6), length 52) 10.0.150.250.1321> > 192.76.4.8.53145: S, cksum 0xc360 > > (correct), 4144994380:4144994380(0) ack 411542245 win > 8192<mss > > 1460,nop,wscale 8,nop,nop,sackOK> > > > Dec 3 10:06:01 192.76.18.8 pf: 000055 rule > 252/0(match): block out > > on bge0: (tos 0x0, ttl 126, id 19770, offset 0, flags > [DF], proto TCP > > (6), length 52) 10.0.150.250.1321> > 192.76.4.8.53145: S, cksum 0xc360 > > (correct), 4144994380:4144994380(0) ack 411542245 win > 8192<mss > > 1460,nop,wscale 8,nop,nop,sackOK> > > > > > > @191 pass in log quick on vlan2 inet proto tcp > from 10.0.150.250 port > > = 1321 to any no state label "USER_RULE" > > > [ Evaluations: 49 > Packets: 4 > Bytes: 192 > > States: 0 ] > > > @252 block drop out log quick all label "Default > deny rule" > > > > > > > > > > > > Thanks > > > > > > Thad > > > > > When you try to establish this connection probably the > state already > > exists. Can you check it with > > pfctl -ss | grep 1321 > > If it does exist > > > > 10.0.150.250.1321> 192.76.4.8.53145 > > > > then I think new one will be rejected. > > > > Evgeny. > > > > Unfortunately that doesn't appear to be the problem. > > Thanks anyway. > > Thad Can you send me .pcap file with this packet please? Once I saw similar problem when IP header had additional options. The packet just did not follow my rule and that is it! Thanks. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] Commercial support available - https://portal.pfsense.org
