PF Blocked TCP packets using flags F, P or R?

[mickey]

Recently my WLAN got a new citizen, a device running Android 8 (oreo). Ever since then I am seeing blocked packets show up in the firewall logs that belong to connections from the android to my proxy server (squid) running on port 3128. The dropped packets have flags F, P or R set:

2020-10-12 12:37:22.254685 rule 7.air.25/0(match): block in on wlan0: 10.6.8.4.57909 > 10.6.6.1.3128: Flags [F.], seq 1862561702, ack 1974147104, win 693, options [nop,nop,TS val 35747 ecr 678972576], length 0
2020-10-12 12:37:22.408626 rule 7.air.25/0(match): block in on wlan0: 10.6.8.4.57908 > 10.6.6.1.3128: Flags [P.], seq 857158349:857158372, ack 4155482869, win 798, options [nop,nop,TS val 35765 ecr 2586556459], length 23
2020-10-12 13:33:49.365779 rule 7.air.25/0(match): block in on wlan0: 10.6.8.4.57915 > 10.6.6.1.3128: Flags [R.], seq 2103374456, ack 3754428267, win 4414, options [nop,nop,TS val 38675 ecr 3382496206], length 0

Am I correct to assume that those packets belong to connections for which the state on the firewall has by then expired? What is the cause of such behaviour and what options are there to do something about it? Increase the timeout on the firewall? Client side config?

 

[SirDice]

F(IN) is normal for a connection that's being closed. Just as the build up of a connection uses a three way handshake; SYN, SYN/ACK, ACK, a normal teardown uses something similar but uses the FIN flag instead of a SYN. A RST is sent when a packet is being sent to a closed port or when a connection is aborted. P(SH) has some usage these days.

 

[mickey]

It appears the android client is trying to close down a TCP connection it had with the proxy server after a long time, but the firewall has no state matching that connection anymore, so the packet gets blocked:

2020-10-13 00:23:18.720319 rule 7.air.4/0(match): pass in on wlan0: 10.6.8.4.57987 > 10.6.6.1.3128: Flags [S], seq 1155043756, win 65535, options [mss 1460,sackOK,TS[|tcp]>
2020-10-13 01:19:25.902957 rule 7.air.25/0(match): block in on wlan0: 10.6.8.4.57987 > 10.6.6.1.3128: Flags [F.], seq 1155043999, ack 2456001238, win 1369, options [nop,nop,TS val 313465 ecr 2227438080], length 0

As can be seen here, that particular connection was established ~56 minutes prior to the FIN packet being blocked by pf. I'd say if there is no data flow and no keep-alive mechanism in place, the state is long gone by then. From my observation so far, I can tell that it's not happening to all connections to the proxy but only some of those. I suspect it could have something to do with the android entering some power save sleep mode. Yet I do not see what could be done about that, configuration-wise, either on the android or the firewall side.