From owner-freebsd-current@FreeBSD.ORG Wed May 4 13:31:50 2005 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4FDF216A4CE for ; Wed, 4 May 2005 13:31:50 +0000 (GMT) Received: from smtp02.net-yan.com (smtp02.hgcbroadband.com [210.0.255.157]) by mx1.FreeBSD.org (Postfix) with ESMTP id 74B3C43D69 for ; Wed, 4 May 2005 13:31:48 +0000 (GMT) (envelope-from sam.wun@tech-21.com.hk) Received: (qmail 56810 invoked from network); 4 May 2005 13:31:26 -0000 Received: from unknown (HELO [10.1.184.15]) (samwun@hgcbroadband.com@[221.127.170.22]) (envelope-sender ) by localhost (qmail-ldap-1.03) with SMTP for ; 4 May 2005 13:31:26 -0000 Message-ID: <4278CEA4.2030609@tech-21.com.hk> Date: Wed, 04 May 2005 21:31:16 +0800 From: sam User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040616 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org, freebsd-current@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: PF blocking Pass rules X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 May 2005 13:31:50 -0000 Hi, I don't know what happened, I just setup an internal LAN firewall using PF (v3.6). The PF firewall has defaultrouter setup to the external firewall (facing the internet). All my PCs have default gateway setup to the PF firewall. When I start downloading an iso file from some wetsite, the first 13% was fine, then PF firewall suddenly start blocking the traffic from my PC to the external website where I am downloading the file. After a while (about 6 minutes), my download resumed, and stop for 5 mintues, then resumed.... Here are the running rules loaded into the memory in the PF firewall: root@intgw2:/usr/local/etc# pfctl -sr block drop in log all pass quick on xl0 proto pfsync all pass in on fxp0 inet proto carp from 10.1.254.250 to any keep state pass in on fxp1 inet proto carp from 10.3.254.250 to any keep state pass in on fxp0 inet proto tcp from 10.1.0.0/16 to any flags S/SA keep state pass in on fxp0 proto tcp from any to any port 13:156 flags S/SA keep state pass in on fxp0 proto tcp from any to any port 1024:60000 flags S/SA keep state pass in on fxp0 proto udp from any to any port 1024:60000 keep state pass in on fxp0 inet proto udp from 10.1.0.0/16 to any keep state pass in on fxp0 inet proto tcp from any to 255.255.255.255 keep state pass in on fxp0 inet proto udp from any to 255.255.255.255 keep state pass in on fxp0 inet proto tcp from any to 10.1.255.255 keep state pass in on fxp0 inet proto udp from any to 10.1.255.255 keep state pass in on fxp1 proto udp from any to any port 13:156 keep state pass in on fxp1 proto udp from any to any port 1024:60000 keep state pass in on fxp1 inet proto tcp from any to 255.255.255.255 keep state pass in on fxp1 inet proto udp from any to 255.255.255.255 keep state pass in on fxp1 inet proto tcp from any to 10.3.255.255 keep state pass in on fxp1 inet proto udp from any to 10.3.255.255 keep state pass out quick on fxp0 all keep state pass out quick on fxp1 all keep state Some of the block evens are logged as followed: .... 000017 rule 0/0(match): block in on fxp0: IP 10.1.184.15.4156 > 195.141.40.21.80: F 0:0(0) ack 1 win 64800 300869 rule 0/0(match): block in on fxp0: IP 10.1.184.15.4154 > 195.141.40.21.80: F 0:0(0) ack 1 win 64800 100417 rule 0/0(match): block in on fxp0: IP 10.1.184.15.4153 > 195.141.40.21.80: F 0:0(0) ack 1 win 64800 200569 rule 0/0(match): block in on fxp0: IP 10.1.184.15.4152 > 195.141.14.21.80: F 0:0(0) ack 1 win 64800 .... How can I change the PF rule to fix this problem? Thanks Sam.