Solved Why is traffic apparently being blocked when I have a rule to allow it?

tOsYZYny · Dec 23, 2023

My simplified ruleset of interest is:

# LAN interface

Code:

pass out quick on wan proto {tcp udp} to port {http https} flags S/SA keep state queue normal
pass in quick on wired proto {tcp udp} from \
    {$zone_nintendo} \
    to port {http https} flags S/SA keep state

block log (to pflog1) quick on LAN

Yes, I am still seeing traffic logged on pflog1 to TCP port 443:

Code:

21:20:49.132741 IP (tos 0x0, ttl 64, id 64177, offset 0, flags [DF], proto TCP (6), length 52)
    {LAN_IP}.51000 > {SOME_AMAZON_AWS_SERVER}.443: Flags [R.], cksum 0xd878 (correct), seq 1348, ack 1, win 1032, options [nop,nop,TS val 176667222 ecr 2376698083], length 0

I omitted the actual IPs. Is it being blocked or is it just logging it for some other reason? I was trying to diagnose another issue and am unsure if this is related or not.

junkyalleycat · Dec 23, 2023

I have noticed the same thing, haven't dug into it though, I assume mine are packets for which the state has been dropped so they don't match anything (by default, state will only be created on initial SYN, which your example packet is not). Again, I haven't read or verified that this is the case, and since I haven't noticed impact, I keep procrastinating the research.

tOsYZYny · Dec 23, 2023

Ah, good catch, thanks for pointing me in the right direction. I think I may either need to update my rule to allow those other states, or perhaps update my block log rule to discard those other states, or perhaps put them in another interface separately.

tOsYZYny · Dec 23, 2023

Good call - I think I need to do this:

PF: Scrub (Packet Normalization)

the OpenBSD FAQ page

docstore.mik.ua

Eric A. Borisch · Dec 23, 2023

Before you get too wrapped around the axle, be sure that you have cleared out all existing connections after changing PF rules. Restarting or running service pf restart should do it. (Best run from a local console.)

Also, use tcpdump -e […] on the pflog device to show pass/block status.

tOsYZYny · Dec 23, 2023

Yes, I restarted with service pf restart. What is tcpdump -e [.]? That isn't working for me.

I am still seeing similar output:

08:25:38.989953 IP (tos 0x0, ttl 64, id 41306, offset 0, flags [DF], proto TCP (6), length 52)
{LAN_IP}.55822 > {SOME_AMAZON_AWS_SERVER}.80: Flags [F.], cksum 0xd2c3 (correct), seq 0, ack 1, win 1032, options [nop,nop,TS val 216557661 ecr 1797415907], length 0

VladiBG · Dec 23, 2023

You are allowing only some flags.

Eric A. Borisch · Dec 23, 2023

tOsYZYny said:
What is tcpdump -e [.]? That isn't working for me.

Add “-e” to your tcpdump(1) command line. It will give you this type of output on pflog devices:

 12:45:14.166419 rule 40/0(match): pass in on eth0: 10.0.1.81.61097 > 10.0.1.210.22: Flags [S], seq 3735582673, win 65535, options [mss 1460, [|tcp]

Instead of (no -e)

 12:45:14.166419 IP 10.0.1.81.61097 > 10.0.1.210.22: Flags [S], seq 3735582673, win 65535, options [mss 1460, [|tcp]