Hi Guys,
I'm still some difficult to understand why some packets out are "blocked".
I thought I had override some rules, but I left the firewall as clean as possible to test, and I don't understand why.
I reduce my pf.conf, simple and cleared:
tcp_services_in="{ 22, 80, 443 }"
set skip on lo0
scrub in all
block log all
pass out all keep state
pass in proto tcp to port $tcp_services_in keep state
When I connect via ssh (with success), some time after, PFLOG returns some blocked packages, approximately 4 packets/minute.
But my connection isn't dropped. It only appears on logs.
I think that is return packets from my server to the client.
So, I tested "egress" directive, but it seems it doesn't work on FreeBSD.
So, with "pass OUT all", why this block out on flags F(yn) and (P)ush? I will have problems with this?
PFLOG:
2021-10-18 19:45:57.249439 rule 0/0(match) [uid 0]: block out on ena0: 172.31.74.65.22 > xx.xxx.xxx.xxx.5069: Flags [FP.], seq 4294966912:52, ack 1, win 1035, options [nop,nop,TS val 1707203848 ecr 252342300], length 436
Thanks again,
I'm still some difficult to understand why some packets out are "blocked".
I thought I had override some rules, but I left the firewall as clean as possible to test, and I don't understand why.
I reduce my pf.conf, simple and cleared:
tcp_services_in="{ 22, 80, 443 }"
set skip on lo0
scrub in all
block log all
pass out all keep state
pass in proto tcp to port $tcp_services_in keep state
When I connect via ssh (with success), some time after, PFLOG returns some blocked packages, approximately 4 packets/minute.
But my connection isn't dropped. It only appears on logs.
I think that is return packets from my server to the client.
So, I tested "egress" directive, but it seems it doesn't work on FreeBSD.
So, with "pass OUT all", why this block out on flags F(yn) and (P)ush? I will have problems with this?
PFLOG:
2021-10-18 19:45:57.249439 rule 0/0(match) [uid 0]: block out on ena0: 172.31.74.65.22 > xx.xxx.xxx.xxx.5069: Flags [FP.], seq 4294966912:52, ack 1, win 1035, options [nop,nop,TS val 1707203848 ecr 252342300], length 436
Thanks again,