From owner-freebsd-pf@FreeBSD.ORG Sat Sep 13 19:52:42 2014 Return-Path: Delivered-To: pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8078A3D9 for ; Sat, 13 Sep 2014 19:52:42 +0000 (UTC) Received: from mail-wg0-x22f.google.com (mail-wg0-x22f.google.com [IPv6:2a00:1450:400c:c00::22f]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 008A6196 for ; Sat, 13 Sep 2014 19:52:41 +0000 (UTC) Received: by mail-wg0-f47.google.com with SMTP id y10so2184655wgg.18 for ; Sat, 13 Sep 2014 12:52:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject :content-type; bh=pyqDWrVyYo/FhFWamFrxBXx/BebzjGETG1gBdVVC6G8=; b=hCJu5jRWrDcogbPhorqDW5FhtFBz4yDHE5NGl0IiOjAXUgqg5EhDL1Cdaop5nytmD3 ASwU/mV8IIU4xqiFmVfUJnaqYo1Pw0lcEKYcjkf1kVF2MsjTxDNUHb32RNbr06hVliPl 0r2i+8oB3UiXBboTJG0Us1DcuG74gTI0HnO9xqevCySRdlne7JpbyjAKj8u8xw+swPpq NkH+ZtXlU+C9Y5ZHql4UjT+hfukmgvrvjOW+/SOEY6pREJrjzauRO8qMi9G+Y0Y6bJxx o71vrVS9ZYizuWKrGv6KDJfOudyNFwwASteS3vIDvttI6VIJHw/VY+DtUaAPL8ZlO0AK SdeA== X-Received: by 10.194.184.166 with SMTP id ev6mr21023513wjc.61.1410637959829; Sat, 13 Sep 2014 12:52:39 -0700 (PDT) Received: from t510.bsoft-company.ro (ip5450aabf.adsl-surfen.hetnet.nl. [84.80.170.191]) by mx.google.com with ESMTPSA id wr8sm8761250wjb.20.2014.09.13.12.52.38 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 13 Sep 2014 12:52:39 -0700 (PDT) Message-ID: <5414A086.5020608@gmail.com> Date: Sat, 13 Sep 2014 21:52:38 +0200 From: Andrei Brezan User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Thunderbird/31.0 MIME-Version: 1.0 To: pf@freebsd.org Subject: pf firewall blocking packets with a pass rule in place Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Sep 2014 19:52:42 -0000 Hi, I have some odd behaviour on one network which has a pf gateway firewall. This is from a tcpdump on pflog on the firewall, 1.2.3.4 is my remote address, 5.6.7.8 is the pf firewall, 10.0.0.252 is an OpenVPN server (tap) behind the firewall, 10.0.0.250 is my mail server: 20:45:26.682551 rule 32..16777216/0(match): pass out on vlan333: 1.2.3.4.61384 > 10.0.0.252.1194: UDP, length 14 20:46:36.230485 rule 35..16777216/0(match): pass out on vlan333: 1.2.3.4.57412 > 10.0.0.250.80: Flags [S], seq 1335812154, win 65535, options [mss 1440,nop,wscale 6,sackOK,TS val 687134035 ecr 0], length 0 20:46:36.244606 rule 35..16777216/0(match): pass out on vlan333: 1.2.3.4.53156 > 10.0.0.250.443: Flags [S], seq 3626719163, win 65535, options [mss 1440,nop,wscale 6,sackOK,TS val 3971340937 ecr 0], length 0 20:52:28.494174 rule 35..16777216/0(match): pass out on vlan333: 1.2.3.4.51684 > 10.0.0.250.993: Flags [S], seq 3306743615, win 65535, options [mss 1440,nop,wscale 6,sackOK,TS val 2707206732 ecr 0], length 0 20:52:30.650788 rule 35..16777216/0(match): pass out on vlan333: 1.2.3.4.59297 > 10.0.0.250.993: Flags [S], seq 4090099168, win 65535, options [mss 1440,nop,wscale 6,sackOK,TS val 2986073365 ecr 0], length 0 20:57:27.585665 rule 35..16777216/0(match): pass out on vlan333: 1.2.3.4.50367 > 10.0.0.250.80: Flags [S], seq 920232625, win 65535, options [mss 1440,nop,wscale 6,sackOK,TS val 809211507 ecr 0], length 0 20:57:27.599151 rule 35..16777216/0(match): pass out on vlan333: 1.2.3.4.54013 > 10.0.0.250.443: Flags [S], seq 281501721, win 65535, options [mss 1440,nop,wscale 6,sackOK,TS val 1810969707 ecr 0], length 0 21:01:13.826452 rule 35..16777216/0(match): pass out on vlan333: 1.2.3.4.64792 > 10.0.0.250.25: Flags [S], seq 1871587187, win 65535, options [mss 1440,nop,wscale 6,sackOK,TS val 1261752165 ecr 0], length 0 21:03:16.371844 rule 0..16777216/0(match): block out on vlan333: 1.2.3.4.54922 > 10.0.0.250.993: Flags [P.], seq 3402837478:3402837515, ack 2361346111, win 1026, options [nop,nop,TS val 5284083 ecr 52159031], length 37 21:03:16.372008 rule 0..16777216/0(match): block out on vlan333: 1.2.3.4.54922 > 10.0.0.250.993: Flags [F.], seq 37, ack 1, win 1026, options [nop,nop,TS val 5284083 ecr 52159031], length 0 21:03:16.373308 rule 35..16777216/0(match): pass out on vlan333: 1.2.3.4.54156 > 10.0.0.250.993: Flags [S], seq 3275327108, win 65535, options [mss 1440,nop,wscale 6,sackOK,TS val 2062181022 ecr 0], length 0 21:03:16.615875 rule 0..16777216/0(match): block out on vlan333: 1.2.3.4.54922 > 10.0.0.250.993: Flags [FP.], seq 0:37, ack 1, win 1026, options [nop,nop,TS val 5284327 ecr 52159031], length 37 21:03:16.891824 rule 0..16777216/0(match): block out on vlan333: 1.2.3.4.54922 > 10.0.0.250.993: Flags [FP.], seq 0:37, ack 1, win 1026, options [nop,nop,TS val 5284603 ecr 52159031], length 37 21:03:17.231604 rule 0..16777216/0(match): block out on vlan333: 1.2.3.4.54922 > 10.0.0.250.993: Flags [FP.], seq 0:37, ack 1, win 1026, options [nop,nop,TS val 5284943 ecr 52159031], length 37 21:03:17.685793 rule 0..16777216/0(match): block out on vlan333: 1.2.3.4.54922 > 10.0.0.250.993: Flags [FP.], seq 0:37, ack 1, win 1026, options [nop,nop,TS val 5285397 ecr 52159031], length 37 21:03:18.408137 rule 0..16777216/0(match): block out on vlan333: 1.2.3.4.54922 > 10.0.0.250.993: Flags [FP.], seq 0:37, ack 1, win 1026, options [nop,nop,TS val 5286119 ecr 52159031], length 37 21:03:19.583723 rule 0..16777216/0(match): block out on vlan333: 1.2.3.4.54922 > 10.0.0.250.993: Flags [FP.], seq 0:37, ack 1, win 1026, options [nop,nop,TS val 5287295 ecr 52159031], length 37 21:03:21.713816 rule 0..16777216/0(match): block out on vlan333: 1.2.3.4.54922 > 10.0.0.250.993: Flags [FP.], seq 0:37, ack 1, win 1026, options [nop,nop,TS val 5289425 ecr 52159031], length 37 21:03:25.766916 rule 0..16777216/0(match): block out on vlan333: 1.2.3.4.54922 > 10.0.0.250.993: Flags [FP.], seq 0:37, ack 1, win 1026, options [nop,nop,TS val 5293478 ecr 52159031], length 37 21:03:33.679722 rule 0..16777216/0(match): block out on vlan333: 1.2.3.4.54922 > 10.0.0.250.993: Flags [FP.], seq 0:37, ack 1, win 1026, options [nop,nop,TS val 5301391 ecr 52159031], length 37 21:03:49.240190 rule 0..16777216/0(match): block out on vlan333: 1.2.3.4.54922 > 10.0.0.250.993: Flags [FP.], seq 0:37, ack 1, win 1026, options [nop,nop,TS val 5316951 ecr 52159031], length 37 21:04:04.821702 rule 0..16777216/0(match): block out on vlan333: 1.2.3.4.54922 > 10.0.0.250.993: Flags [FP.], seq 0:37, ack 1, win 1026, options [nop,nop,TS val 5332533 ecr 52159031], length 37 21:04:20.382912 rule 0..16777216/0(match): block out on vlan333: 1.2.3.4.54922 > 10.0.0.250.993: Flags [FP.], seq 0:37, ack 1, win 1026, options [nop,nop,TS val 5348094 ecr 52159031], length 37 21:04:35.947297 rule 0..16777216/0(match): block out on vlan333: 1.2.3.4.54922 > 10.0.0.250.993: Flags [R.], seq 38, ack 1, win 1026, options [nop,nop,TS val 5363658 ecr 52159031], length 0 21:38:41.708989 rule 32..16777216/0(match): pass out on igb0: 5.6.7.8.54206 > 1.2.3.4.61384: UDP, length 101 21:40:11.470576 rule 35..16777216/0(match): pass out on vlan333: 1.2.3.4.58407 > 10.0.0.250.993: Flags [S], seq 3179386733, win 65535, options [mss 1440,nop,wscale 6,sackOK,TS val 3544878749 ecr 0], length 0 21:41:10.356274 rule 0..16777216/0(match): block out on igb0: 5.6.7.8.63184 > 1.2.3.4.58407: Flags [R.], seq 542623300, ack 3179387863, win 0, length 0 21:42:42.139787 rule 35..16777216/0(match): pass out on vlan333: 1.2.3.4.58246 > 10.0.0.250.993: Flags [S], seq 2033854095, win 65535, options [mss 1440,nop,wscale 6,sackOK,TS val 2222918259 ecr 0], length 0 21:42:58.173371 rule 0..16777216/0(match): block out on igb0: 5.6.7.8.55938 > 1.2.3.4.58246: Flags [P.], seq 1671786524:1671786577, ack 2033855225, win 252, options [nop,nop,TS val 52409345 ecr 7663492], length 53 21:43:01.035543 rule 0..16777216/0(match): block out on igb0: 5.6.7.8.62485 > 1.2.3.4.51684: Flags [R.], seq 1560010735, ack 3306749941, win 0, length 0 21:43:43.457948 rule 32..16777216/0(match): pass out on vlan333: 1.2.3.4.61028 > 192.168.0.252.1194: UDP, length 14 21:43:51.279156 rule 32..16777216/0(match): pass out on igb0: 5.6.7.8.64507 > 1.2.3.4.61028: UDP, length 101 21:44:42.074698 rule 35..16777216/0(match): pass out on vlan333: 1.2.3.4.57041 > 10.0.0.250.993: Flags [S], seq 3652350806, win 65535, options [mss 1440,nop,wscale 6,sackOK,TS val 2369373378 ecr 0], length 0 21:45:11.441957 rule 0..16777216/0(match): block in on vlan333: 10.0.0.250.993 > 1.2.3.4.54156: Flags [.], seq 2259431444:2259431445, ack 3275340784, win 255, length 1 I really don't understand why are these packages blocked. I'm experiencing intermittent and random connection loss, what's really odd, happens mostly during the evening or night, plus I don't see the pass in pflog for the established state, after this round of blocked packets I am still able to connect to the IMAPs server: % sudo pfctl -vvs state | grep -A 3 -E "1.2.3.4.*993" No ALTQ support in kernel ALTQ related functions disabled all tcp 1.2.3.4:59297 -> 10.0.0.250:993 ESTABLISHED:ESTABLISHED [4090185320 + 65054] wscale 6 [521715590 + 65664] wscale 8 age 00:43:22, expires in 23:58:49, 1341:1208 pkts, 155891:390868 bytes, rule 35 id: 0300000053fe8341 creatorid: d8aa2c51 -- all tcp 1.2.3.4:54106 -> 10.0.0.250:993 ESTABLISHED:ESTABLISHED [2304345867 + 65536] wscale 6 [3058330740 + 65664] wscale 8 age 01:39:27, expires in 23:58:45, 197:161 pkts, 22303:35201 bytes, rule 35 id: 0000000053fe91c7 creatorid: d8aa2c51 -- all tcp 1.2.3.4:51684 -> 10.0.0.250:993 ESTABLISHED:ESTABLISHED [3306749755 + 64806] wscale 6 [1560010681 + 65664] wscale 8 age 00:43:24, expires in 23:37:21, 163:285 pkts, 14623:190269 bytes, rule 35 id: 0000000053fe9440 creatorid: d8aa2c51 -- all tcp 1.2.3.4:54156 -> 10.0.0.250:993 ESTABLISHED:ESTABLISHED [3275340128 + 64626] wscale 6 [2259430819 + 65664] wscale 8 age 00:32:36, expires in 24:00:00, 374:490 pkts, 32475:273389 bytes, rule 35 id: 0000000053fe944f creatorid: d8aa2c51 % sudo pfctl -vvs state | grep -A 3 -E "993.*1.2.3.4" No ALTQ support in kernel ALTQ related functions disabled all tcp 10.0.0.250:993 (5.6.7.8:993) <- 1.2.3.4:59297 ESTABLISHED:ESTABLISHED [521721120 + 65664] wscale 8 [4090191500 + 64828] wscale 6 age 00:44:12, expires in 23:59:55, 1429:1274 pkts, 166647:399830 bytes id: 0300000053fe8340 creatorid: d8aa2c51 -- all tcp 10.0.0.250:993 (5.6.7.8:993) <- 1.2.3.4:54106 ESTABLISHED:ESTABLISHED [3058330915 + 1026] [2304346089 + 255] age 00:51:21, expires in 23:59:51, 71:53 pkts, 7588:5901 bytes id: 0000000053fe9427 creatorid: d8aa2c51 all tcp 10.0.0.250:993 (5.6.7.8:993) <- 1.2.3.4:51684 ESTABLISHED:ESTABLISHED [1560010681 + 65664] wscale 8 [3306749755 + 64806] wscale 6 age 00:44:14, expires in 23:36:31, 163:285 pkts, 14623:190269 bytes id: 0000000053fe943f creatorid: d8aa2c51 -- all tcp 10.0.0.250:993 (5.6.7.8:993) <- 1.2.3.4:54156 ESTABLISHED:ESTABLISHED [2259430819 + 65664] wscale 8 [3275340128 + 64626] wscale 6 age 00:33:26, expires in 23:59:10, 374:490 pkts, 32475:273389 bytes id: 0000000053fe944e creatorid: d8aa2c51 Anyone has any idea what might be amiss here? What can I look into? I hope someone with more pf and TCP knowledge than me can shed some light. Thank you, -- Andrei